Secret-based Credentials for PowerShell Scripts

Overview

You can specify a secret to provide the default credentials for running all PowerShell scripts on a site. This allows sites in different data centers to have different default credentials. This applies to remote password changing, checkout hooks, and account discovery PowerShell scripts.

If you want a specific secret checkout hook, secret password changer, or account discovery scanner to use different credentials you can still provide credentials in those areas, which will take precedence over the one set on the site.

RunAs Secret Precedence

Remote Password Changing

The precedence order for which RunAs secret to use for remote password changing is:

  1. Privileged account on the secret RPC tab

  2. Secret site's RunAs secret

  3. Secret

Secret Dependencies

The precedence order for which RunAs secret to use for PowerShell Secret dependencies is:

  1. Privileged account on the dependency

  2. RunAs secret on the dependency group's site

  3. Secret site's RunAs secret

  4. Secret

Checkout Hooks

The precedence order for which RunAs secret to use for checkout hooks is:

  1. Privileged account on the hook

  2. Secret site's RunAs secret

  3. Secret

Procedures

Setting the Default PowerShell Credential for a Site

To set a default PowerShell credential for a site:

  1. Go to Admin > Distributed Engine and select a site from the list.

  2. In the Advanced site configuration section click Edit.

  3. Next to the Default PowerShell RunAs Secret field click on the No secret selected link and select the related secret from the list.

  4. Click Save.

Using the Site PowerShell Credentials for Discovery

To use the site PowerShell credentials on a discovery scanner:

  1. Add a PowerShell scanner to a discovery source or edit an existing scanner:

    • Navigate to Admin > Discovery and select the Configuration tab.

    • Select Extensible Discovery from the dropdown at the top right, and select Configure Discovery Scanners.

    • Select a scanner from the list and click Edit to edit an existing scanner, or click Create scanner at the top right if you would like to create a new scanner.

      • If creating a new scanner, specify its Name and Description, check to enable State, select the related Scanner type, and in the Base scanner field select PowerShell Discovery.

      • Optionally check to enable Allow OU input, select the Input template, Output template, and Script.

      • When done click Save.

      • If editing an existing scanner, select a disabled scanner and set the related fields the same way its mentioned above, and click Save.

  2. Select the scanner that you have just created or edited, click Edit,and check to select Use Site RunAs Secret.

  3. Click Save.

    If no RunAs secret is set on the site, you will get an error message when you try to save.