Start a new topic
Solved

Resolving Credentials for Dynamic Folders

I'm working on a Dynamic Folder script in PowerShell that is used to connect to computers using Windows LAPS credentials. I create a Dynamic Credential and assign it to every connection.


My problem comes when I need to resolve the dynamic credentials. In order to look up the credentials for an AD computer I need to supply a PSCredential object that has permission to get the credentials.


I attempted to do this by setting a credential for the Dynamic Folder object itself. When I try to reference credential this using EffectiveUsername and EffectivePassword, both fields are blank for every configuration except one. The options "Do not use any credentials", "Use credentials from the parent folder", "Use an existing credential", and "Specify a credential name" all result in the effective credentials being blank. Only the "Specify username and password" option leads to the fields having values.


However, the needed credentials already exist elsewhere, so I don't want to duplicate them within the Dynamic Folder, only to reference them. It seems that Royal TS is not resolving the credential before running the script.


Is there a way to do this? Here is the Dynamic Credential Script for reference:

  

$ErrorActionPreference = "Stop"
Import-Module LAPS

$User = $EffectiveUsername$
$PassSec = $EffectivePassword$

$MyCredential = New-Object System.Management.Automation.PSCredential($User,$PassSec)

$LAPSCred = Get-LapsADPassword -Identity '$Target.Name$' -Credential $MyCredential -DecryptionCredential $MyCredential -AsPlainText

$Output = [pscustomobject]@{
	Username = $($LAPSCred.Account)
	Password = $($LAPSCred.Password)
}

$Output | ConvertTo-JSON -Depth 100 | Write-Output

  




It doesn't seem like I can edit my original post, but I made some small corrections to the code. It still doesn't resolve credentials, though.


 

$ErrorActionPreference = "Stop"
Import-Module LAPS

$User = "$EffectiveUsername$"
$PassSec = ("$EffectivePassword$" | ConvertTo-SecureString -AsPlainText)

$MyCredential = New-Object System.Management.Automation.PSCredential($User,$PassSec)

$LAPSCred = Get-LapsADPassword -Identity '$Target.Name$' -Credential $MyCredential -DecryptionCredential $MyCredential -AsPlainText

$Output = [pscustomobject]@{
	Username = ".\\$($LAPSCred.Account)"
	Password = "$($LAPSCred.Password)"
}

$Output | ConvertTo-JSON -Depth 100 | Write-Output

 

Hi Ramon,


I just did some test and this is working fine on my side. Is it possible that you are referring to a credential which is located in a document where lockdown is enabled?


Regards,
Stefan

Lockdown is not enabled. However, the credential I'm trying to use is, itself, resolved through a Dynamic Folder which looks it up in my Keeper vault. I don't know why I didn't think to test it with a directly made credential, but when I did I can see that it is not resolving the first Dynamic Credential from Keeper even though it does see it.


In the screenshot you can see that the local credential does show the username (redacted) while the dynamic version of the same credential does not.


image



I can modify the LAPS credential script to directly get the credentials from Keeper, but I was hoping to keep it generic to any type of credential. Maybe cascading dynamic credentials could be a feature request?

I see. That explains the issue. Cascading dynamic credentials is not supported and we do not have plans at the moment to implement that. Feel free to submit a feature request in the Ideas forum though. Depending on demand and available resources, we might be able to do something like that.


Regards,
Stefan

Thanks for your input!

 Hello @Ramon Medina,


I am currently working on integrating LAPS too.
May I ask if I am allowed to use your script?

Certainly. I'll get around to submitting it to git eventually, but here it is for now. You should be able to comment out the Keeper-specific portion and uncomment the non-Keeper block.


Some things to note: the username you provide (in a separate credential object) must be in the format DOMAIN\username, and the user must have permission to read LAPS passwords. You provide the name of this credential in the custom properties of this Dynamic Folder.


Also, this only works with the "new" iteration of LAPS the was released last year for Windows 11, Windows 10 22H2, and Windows Server 2019 or later. The previous version of LAPS uses different PowerShell commands.


rdfx

Thank you very much!
I am unsure what the "keeper-specific" portion is meant to be. The object already get added, the credentials fail with the "Please set this Powershell Secrets Vault credentials for this object" error.


I will have to read into this powerhsell secrets and set them up properly - these are new to me :)

You can comment-out the Keeper-specific portion and uncomment the general portion. We use Keeper password manager, so that is what I'm using to look up credentials. But if you don't use Keeper you can comment it out or remove that section and the import statements for it.

Sorry, I meant the powershell password vault portion (we use Keeper with that). If you import the attached one and then just assign Royal credentials to it, it should work for you.

rdfx

I see, I didn't know Keeper so that confused me a little bit. Thank you very much!!!

Login or Signup to post a comment