It doesn't seem like I can edit my original post, but I made some small corrections to the code. It still doesn't resolve credentials, though.
$ErrorActionPreference = "Stop"
Import-Module LAPS
$User = "$EffectiveUsername$"
$PassSec = ("$EffectivePassword$" | ConvertTo-SecureString -AsPlainText)
$MyCredential = New-Object System.Management.Automation.PSCredential($User,$PassSec)
$LAPSCred = Get-LapsADPassword -Identity '$Target.Name$' -Credential $MyCredential -DecryptionCredential $MyCredential -AsPlainText
$Output = [pscustomobject]@{
Username = ".\\$($LAPSCred.Account)"
Password = "$($LAPSCred.Password)"
}
$Output | ConvertTo-JSON -Depth 100 | Write-Output
Hi Ramon,
I just did some test and this is working fine on my side. Is it possible that you are referring to a credential which is located in a document where lockdown is enabled?
Regards,
Stefan
Lockdown is not enabled. However, the credential I'm trying to use is, itself, resolved through a Dynamic Folder which looks it up in my Keeper vault. I don't know why I didn't think to test it with a directly made credential, but when I did I can see that it is not resolving the first Dynamic Credential from Keeper even though it does see it.
In the screenshot you can see that the local credential does show the username (redacted) while the dynamic version of the same credential does not.
I can modify the LAPS credential script to directly get the credentials from Keeper, but I was hoping to keep it generic to any type of credential. Maybe cascading dynamic credentials could be a feature request?
I see. That explains the issue. Cascading dynamic credentials is not supported and we do not have plans at the moment to implement that. Feel free to submit a feature request in the Ideas forum though. Depending on demand and available resources, we might be able to do something like that.
Regards,
Stefan
Thanks for your input!
Ramon Medina
I'm working on a Dynamic Folder script in PowerShell that is used to connect to computers using Windows LAPS credentials. I create a Dynamic Credential and assign it to every connection.
My problem comes when I need to resolve the dynamic credentials. In order to look up the credentials for an AD computer I need to supply a PSCredential object that has permission to get the credentials.
I attempted to do this by setting a credential for the Dynamic Folder object itself. When I try to reference credential this using EffectiveUsername and EffectivePassword, both fields are blank for every configuration except one. The options "Do not use any credentials", "Use credentials from the parent folder", "Use an existing credential", and "Specify a credential name" all result in the effective credentials being blank. Only the "Specify username and password" option leads to the fields having values.
However, the needed credentials already exist elsewhere, so I don't want to duplicate them within the Dynamic Folder, only to reference them. It seems that Royal TS is not resolving the credential before running the script.
Is there a way to do this? Here is the Dynamic Credential Script for reference:
$ErrorActionPreference = "Stop" Import-Module LAPS $User = $EffectiveUsername$ $PassSec = $EffectivePassword$ $MyCredential = New-Object System.Management.Automation.PSCredential($User,$PassSec) $LAPSCred = Get-LapsADPassword -Identity '$Target.Name$' -Credential $MyCredential -DecryptionCredential $MyCredential -AsPlainText $Output = [pscustomobject]@{ Username = $($LAPSCred.Account) Password = $($LAPSCred.Password) } $Output | ConvertTo-JSON -Depth 100 | Write-Output