Managing your users’ cached credentials with PowerShell

One of the more frustrating things about modern computing is that nearly every resource that a user accesses requires a password, and ideally (at least from a security standpoint) users should be using a different password for each resource. The Windows 10 Credential Manager is Microsoft’s attempt at making life a little bit easier for end-users. The Credential Manager allows users to cache both web passwords and credentials for Windows resources. That way, users don’t have to enter their password every single time that they access a resource. Of course, there are any number of reasons why an admin may wish to maintain a bit of control over the Credential Manager. An admin might, for instance, want to prevent users from caching the credentials associated with a particular resource.

PowerShell is perhaps the best tool for regulating Credential Manager at scale. Unfortunately, Windows 10 does not include any Credential Manager-related PowerShell cmdlets. Thankfully, Dave Garnar has created a PowerShell module for Credential Manager and made the module available through the PowerShell gallery.

Using the Credential Manager PowerShell module

To use this module, open an elevated PowerShell window and then enter the following command:

Install-Module -Name Credential Manager

This command will install the Credential Manager module without you having to manually download anything. You can see what the process looks like in the screenshot below.

Unfortunately, there isn’t a lot of documentation that comes with the Credential Manager module (at least not that I have been able to find). Even so, the module is relatively easy to use. The Credential Manager module is composed of three cmdlets:

  • Get-StoredCredential
  • New-StoredCredential
  • Remove-StoredCredential

You can see these cmdlets listed in the screenshot below.

As is the case with any other PowerShell cmdlet, you can display the syntax for any one of these cmdlets by using PowerShell’s Get-Help cmdlet. All you have to do is to type Get-Help, followed by the name of the cmdlet that you need help with. For example, if you wanted to see the syntax for the Get-StoredCredential cmdlet, you would type:

Get-Help Get-StoredCredential

You can see what the output looks like in the next screenshot.

Create, retrieve, and remove stored credentials

So, with that said, let’s take a look at how to create, retrieve, and then remove a stored credential.

There are a couple of different ways of storing a credential. One method involves entering a password in clear text. The other method involves prompting a user to enter a password, and then writing that password directly to the credential manager. Let’s look at the clear text method first.

Suppose for a moment that I wanted to store a password for a server named Contoso. Let’s also assume that my password is “password” and that my username is User1. The command that I would use to enter that information into the Credential Manager is:

New-StoredCredential -Target Contoso -Username User1 -Password Password

You can see what the process looks like in the next screenshot.

If, on the other hand, you wanted to prompt User2 for their password for the Contoso server, the command would look more like this:

Get-Credential -Username User2 -Message “Please enter your password:” | New-StoredCredential -Target Contoso

When you run this command, the user sees a password prompt like the one shown in the screenshot below. Once the password has been entered, the output shown on the left side of the screenshot is displayed. The password prompt and the output are not on the screen at the same time in real life. I simply included them in the same screenshot for reference purposes.

So now that I have shown you how to enter credentials into Credential Manager, let’s take a look at how to retrieve credentials. If I wanted to retrieve User2’s credentials for Contoso, I could do so by entering this command:

Get-StoredCredential -Target Contoso

The password is returned as a secure string, as shown in the screenshot below. This is nice for a couple of reasons. First, the password isn’t being exposed on screen. Second, the password is in a format that a PowerShell script can natively use. In fact, I could map the command to a variable by typing something like this:

$Cred = Get-StoredCredential -Target Contoso

You can see both techniques illustrated in the screenshot below.

So now let’s pretend that we no longer wish to cache the credentials for the Contoso server. We can easily use PowerShell to purge the credentials from the Credential Manager. To do so, just enter the Remove-StoredCredential cmdlet, followed by the Target switch and the name of the target server. If necessary, you can also use the Type switch to specify the credential type (for example: -Type Generic). Here is a command that could be used to remove the cached credential for the Contoso server:

Remove-StoredCredential -Target Contoso

When you use this command, PowerShell does not generate any sort of visible output. Even so, you can verify that the operation was successful by leveraging the Get-StoredCredential cmdlet that I showed you earlier. In this case for example, you type Get-StoredCredential, followed by the Target switch and the name of the target (Contoso). Here is the command:

Get-StoredCredential -Target Contoso

You can see what this looks like in the screenshot below.

Final word of caution

It is relatively common for PowerShell scripts to require an encrypted password file that supplies the script with the necessary permissions. This is especially common for scripts that run unattended. The risk, however, is that someone could exploit the password file, even without knowing the actual password (it’s easy to do). If a script runs on the same machine each time, passwords can be read from the Credential Manager rather than requiring the use of a dedicated password file.

Featured image: Shutterstock

About The Author

2 thoughts on “Managing your users’ cached credentials with PowerShell”

  1. PackageManagement\Install-Package : Package ‘CredentialManager’ failed to be installed because: End of Central
    Directory record could not be found.
    At C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\\PSModule.psm1:1809 char:21
    + … $null = PackageManagement\Install-Package @PSBoundParameters
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidResult: (CredentialManager:String) [Install-Package], Exception
    + FullyQualifiedErrorId : Package ‘{0}’ failed to be installed because: {1},Microsoft.PowerShell.PackageManagement

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top