作为登录脚本运行时，PowerShell 中的 cmdkey 不起作用？

Question

尝试在 PowerShell 登录脚本中使用 cmdkey 将凭据存储在凭据管理器中。当脚本从 PowerShell ISE 运行时，一切正常，但当它通过组策略作为登录脚本运行时，除 cmdkey 之外的一切都正常。我一生都无法弄清楚为什么 cmdkey 可以在任何地方工作，除了在登录时运行脚本时。

# Checks if CRM for Outlook is isntalled by checking the folder path
$installed = Test-Path "C:\Program Files (x86)\Microsoft Dynamics CRM"
# Checks if the CRM has already been configured using the CoreConfigured registry entry
$configured = Get-ItemProperty -Path HKCU:\software\Microsoft\MSCRMClient -Name     "CoreConfigured"

# If CRM is installed and not configured, configure it, if CRM is not installed or     installed and configured, exit
If ($installed -eq "True" -and $configured.CoreConfigured -ne 1) { 

    $message1 = New-object -ComObject Wscript.Shell
    $message1.Popup("Preparing to configure Microsoft CRM for Outlook, please make sure     Outlook is closed.",10,"Systems")

    # Prompts user for email address and Password to configure CRM for Outlook
    $c = Get-Credential -Message "To confgiure CRM, please enter your email address and password:"

    # puts user credentials into Windows Credential Manager using required CRM URLs 
    cmdkey /generic:Microsoft_CRM_https://disco.crm.dynamics.com/ /user: $c.Username  /pass: $c.Password | Out-Null
    cmdkey /generic:Microsoft_CRM_https://disco.crm4.dynamics.com/ /user: $c.Username /pass: $c.Password | Out-Null


    $message2 = New-Object -ComObject Wscript.Shell
    $message2.Popup("Please wait, a notification will appear when the configuration is complete.",10,"Systems")

    # Silenty runs the CRM configuration Wizard with custom XML file
    $exe = "C:\Program Files (x86)\Microsoft Dynamics CRM\Client\ConfigWizard\Microsoft.Crm.Application.Outlook.ConfigWizard.exe"
   &$exe -p /Q /i 'C:\Program Files (x86)\Microsoft Dynamics CRM\Default_Client_Config.xml' /xa /l 'c:\temp\crminstall.txt' | Out-Null

    $message3 = New-Object -ComObject Wscript.Shell
    $message3.Popup("Configuration complete! You may now open Outlook!",10,"Systems")

} 
else {
    exit    
}

Answer 1

我想象 cmdkey 正在使用 Microsoft 的数据保护 API (DPAPI) 来加密凭据，以便只有当前用户才能检索它们。除非加载用户会话，否则您无法使用此 API。当您的脚本运行时，在登录过程中加载 DPAPI 所需的安全信息可能为时过早。我不确定登录脚本如何工作，但请尝试在登录脚本中延迟，直到获得返回值。

以下是使用 DPAPI 加密的 PowerShell 代码：

$scope = [Security.Cryptography.DataProtectionScope]::CurrentUser
$encryptedBytes = [Security.Cryptography.ProtectedData]::Protect( $plainBytes, $null, $scope )
$decryptedBytes = [Security.Cryptography.ProtectedData]::Unprotect( $encryptedBytes, $null, 0 )

在登录脚本中添加一个循环，尝试加密/解密一些随机字节数组，直到成功。