Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2011-12-15) Passwords Containing Special Characters In PowerShell

Posted by Jorge on 2011-12-15


I was playing with the new PowerShell CMDlets in WIndows Server 8 to promote and demote DCs. First of all I must say that this is very very very (Have I already said VERY VERY…) COOL!

While using two new CMDlets I became aware of something I at first was not aware of.

To promote an RODC using a staged  promotion in the second stage I used the following command:

Install-ADDSDomainController -DomainName ADCORP.LAB -SafeModeAdministratorPassword $(ConvertTo-SecureString "dsrmPWD!" -AsPlainText -Force) -ApplicationPartitionsToReplicate * -DatabasePath "D:\AD\DB" -LogPath "D:\AD\LOG" -SysvolPath "D:\AD\SYSVOL" -UseExistingAccount -Credential $creds | FL

After the promotion I could use the configured “SafeModeAdministratorPassword”. So far so good!

After the promotion I tested the demotion CMDlet by using the following command to demote the RODC to a stand alone server:

Uninstall-ADDSDomainController -LocalAdministratorPassword $(ConvertTo-SecureString "Pa$$w0rd" -AsPlainText -Force) | FL

Notice the password I used. After the demotion I wanted to logon to the stand alone server using the account “administrator” with the password “Pa$$w0rd”.

Guess what! It failed!!!! WTF!

To make sure I did not make any typos I tried this again and again and again. It kept failing, damn!

After filing this as a bug I discussed this with a Microsoft engineer and he discussed this with the Product Group. He also did some testing and in the end we came to a conclusion! Guess what! BY DESIGN! Smile

So what’s up?

When using the “ConvertTo-SecureString” CMDlet you need to take into account special characters.

If you use the “Read-Host” CMDlet to capture the password you DO NOT need to take into account special characters.

So if you want to test your password when using the “ConvertTo-SecureString” CMDlet you can do so by just pasting the password into a PowerShell Command Prompt Window and see what the result is.

For example, if you want the actual password to be (without the double quotes) “dsrmPWD!”, the result is:

image

Figure 1: The Required Password Must Be “dsrmPWD!” – Correct!

For example, if you want the actual password to be (without the double quotes) “Pa$$w0rd”, the result is:

image

Figure 2: The Required Password Must Be “Pa$$w0rd” – Wrong!

For example, if you want the actual password to be (without the double quotes) “Pa$$w0rd”, the result is:

image

Figure 3: The Required Password Must Be “Pa$$w0rd” – Correct!

image

Figure 4: The Required Password Must Be “Pa$$w0rd” – Correct!

In other words….. when considering the use of special characters in PowerShell (in this case the $) you need to EITHER escape them (when using double quotes) as shown in figure 3 OR use single quotes. The single quotes method is more natural and of course less difficult. This is not something new in Windows Server 8 or something, but rather a common thing in the use of PowerShell.

UPDATE 2011-12-16: The option in figure 4 has been added based upon the comments added to this post. Thanks for the better solution guys!

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

4 Responses to “(2011-12-15) Passwords Containing Special Characters In PowerShell”

  1. Hi Jorge, another alternative is to use single quotes, e.g. ‘Pa$$w0rd’. When you use $ in double quotes it “resolves” the variable, e.g. “$colour” will not output anything unless you define it, e.g. $colour = “green”. Try “Pa$$w0rd” and then try ‘Pa$$w0rd’, e.g. “Pa$$w0rd”; ‘Pa$$w0rd’
    Pa$colourw0rd
    Pa$$w0rd

  2. dloder said

    All our admin acounts are prefixed with $, so we ran into this fairly early with PowerShell. I’ve always felt the escaping approach to be a bit unnatural. In my opinion, a better method is to instruct PS to treat the string as a literal. This is accomplished with single quotes rather than double quotes.

    PS C:\> ‘Pa$$w0rd’
    Pa$$w0rd

  3. You could also use single quotes to make sure the $$ don’t expand.

  4. Jorge said

    Thank for the feedback guys! I experienced this and just tried one solution without trying other options.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: