Using powershell to update an existing password entry

Hi,

You can combine New-RDMRandomPassword and Set-RDMSessionPassword to generate a new, random password for a session.

Let me know if this helps.
Regards

Do you have a example of the code for this or documentation?

Simplest way would be

$s = Get-RDMSession -Name 'sessions name'
$p = New-RDMRandomPassword -Session $s
Set-RDMSessionPassword $s -Password (ConvertTo-SecureString -AsPlainText $p) -SetSession

To see more ways to generate a password, you can use this command.

Get-Help New-RDMRandomPassword -Examples

Are we able to do this with Devolutions.Server?

Yes, that should work with any data source supported by RDM.

How do we integrate this functionality with our existing script?

Set-PSRepository -Name "PSGallery" -InstallationPolicy Trusted
Install-Module -Name Devolutions.Server
Import-Module -Name Devolutions.Server

$DS_URL= 'https://server/dps'
$appSecret = ''
$appKey = ''
[securestring]$Password = ConvertTo-SecureString $appSecret -AsPlainText -Force
[pscredential]$Credential = New-Object System.Management.Automation.PSCredential ($appKey, $Password)
New-DSSession $Credential $DS_URL -AsApplication --quiet | out-null
$sensitivedata = (Get-DSEntrySensitiveData -EntryId "41981d69-6306-4f8e-9dd9-0f38cb2db1de").body.data
Write-Output $sensitivedata.credentials.password

Oh, you are using the DVLS cmtlets.
If you don't have other script relying on those cmdlets you could probably switch to the RDM cmdlets.
If not, I'll see what I can come up with that would fit your script.

we would like to do both things in one script

I mean, there are 2 ways to access a Devolutions Server using our module, RDM cmdlets and DS cmdlets.
The easiest way is most likely using RDM cmdlets. The snippet you showed me is using the other set of cmdlets.

If that is the only code you have so far, it would be fairly easy to switch.

If you can show us how to do it with RDM that would be helpful

That should do it.
If the dvls data source isn't configured it wii do so, make sure it's active and generate a new random password for a specified entry.

$dataSourceName = "devolutions-server"

$ds = Get-RDMDataSource -Name $dataSourceName
if($ds -eq $null)
{
	$ds_url = ''
	$appSecret = ''
	$appKey = ''
	$ds = New-RDMDataSource -DVLS -Name $dataSourceName -Server $ds_url -ScriptingTenantID $appKey -ScriptingApplicationPassword $appSecret -SetDataSource
}

Set-RDMCurrentDataSource $ds

$s = Get-RDMSession -Name 'sessions name'
$p = New-RDMRandomPassword -Session $s
Set-RDMSessionPassword $s -Password (ConvertTo-SecureString -AsPlainText $p) -SetSession

We want to generate and set a new password for an existing entry in a vault. Then we want to retrieve that password from the entry. Can you show us how to do it using the remote desktop cmdlet?

Hi,

The script above does exactly that. Here it is with comments to explain what each part does.

$dataSourceName = "devolutions-server"

# Get the data source info from RDM config file.
$ds = Get-RDMDataSource -Name $dataSourceName
if($ds -eq $null)
{
# If $ds is null, add a new data source and save it
	$ds_url = '' 
	$appSecret = '' 
	$appKey = ''
	$ds = New-RDMDataSource -DVLS -Name $dataSourceName -Server $ds_url -ScriptingTenantID $appKey -ScriptingApplicationPassword $appSecret -SetDataSource
}

# Set the dvls data source as the current data source
Set-RDMCurrentDataSource $ds

# Get the entry for which you want to generate a new the password, based on its name
$s = Get-RDMSession -Name 'sessions name here'
# Generate a new password
$p = New-RDMRandomPassword -Session $s
# Set the new password and save the modification
Set-RDMSessionPassword $s -Password (ConvertTo-SecureString -AsPlainText $p) -SetSession
# If you want to know the new password you can simply print it
$p

That should do the trick
Regards

$dataSourceName = "devolutions-server"
what should the source name be?

# Get the data source info from RDM config file.
$ds = Get-RDMDataSource -Name $dataSourceName
what rdm config file?

Is there online document that we can't find?

$dataSourceName = "devolutions-server"
what should the source name be?

The name is not important as long as it's always the same. You can leave it as is.

# Get the data source info from RDM config file.
$ds = Get-RDMDataSource -Name $dataSourceName
what rdm config file?

RDM saves its data source information and other settings in a file called RemoteDesktopManager.cfg (for the most part, other files are also used).
If these files don't exist they will be created automatically.
If you would prefer to not save these settings, here's the same script modified to avoid the config files.

$dataSourceName = "devolutions-server"

# Create a data source pointing to the dvls instance
$ds_url = '' 
$appSecret = '' 
$appKey = ''
$ds = New-RDMDataSource -DVLS -Name $dataSourceName -Server $ds_url -ScriptingTenantID $appKey -ScriptingApplicationPassword $appSecret

# Set the dvls data source as the current data source
Set-RDMCurrentDataSource $ds

# Get the entry for which you want to generate a new the password, based on its name
$s = Get-RDMSession -Name 'sessions name here'
# Generate a new password
$p = New-RDMRandomPassword -Session $s
# Set the new password and save the modification
Set-RDMSessionPassword $s -Password (ConvertTo-SecureString -AsPlainText $p) -SetSession
# If you want to know the new password you can simply print it
$p

Is there online document that we can't find?

Our knowledge base has some information and script for frequently asked questions.
The module itself also has documentation and examples. Here is now to use it.

We are getting this error

Get-RDMDataSource: /root/Devolutions.ps1:9
Line |
  9 |  $ds = Get-RDMDataSource -Name $dataSourceName
   |                 ~~~~~~~~~~~~~~~
   | Cannot validate argument on parameter 'Name'. The argument "devolutions-server" does not belong to the set "Local Data Source" specified by the
   | ValidateSet attribute. Supply an argument that is in the set and then try the command again.
Get-RDMSession: /root/Devolutions.ps1:20  

If you are running the script for the first time, that is ok and shouldn't prevent the script from completing successfully.
Otherwise, you could give the other script I posted a try, the one not saving the data source, right above.

Set-RDMSessionPassword: /root/Devolutions.ps1:22                                     
Line |                                                          
 22 |  … ord $s -Password (ConvertTo-SecureString -AsPlainText $p) -SetSession                     
   |                                ~~~~~~~~~~~                     
   | A parameter cannot be found that matches parameter name 'SetSession'. 

Which version of the module is installed?
You can find out by running Get-RDMInstance.

PS /root> Get-RDMInstance                                                

ApplicationVersion OptionFilename
------------------ --------------
2022.3.1.8     /root/.rdm/RemoteDesktopManager.cfg

Indeed, that version didn't have the SetSession flag.
You can replace that line with these two lines to achieve the same end result.

Set-RDMSessionPassword $s -Password (ConvertTo-SecureString -AsPlainText $p)
Set-RDMSession $s

Now I get this
PS /root> ./Devolutions.ps1  
Unable to save the document; error code:  

Is there an attachment saved in your session?

Not that I know of

I'm using the script as you sent it

$dataSourceName = "devolutions-server"




$ds = Get-RDMDataSource -Name $dataSourceName

if($ds -eq $null)

{

	$ds_url = ''

	$appSecret = ''

	$appKey = ''

	$ds = New-RDMDataSource -DVLS -Name $dataSourceName -Server $ds_url -ScriptingTenantID $appKey -ScriptingApplicationPassword $appSecret -SetDataSource

}




Set-RDMCurrentDataSource $ds




$s = Get-RDMSession -Name ''

$p = New-RDMRandomPassword -Session $s

Set-RDMSessionPassword $s -Password (ConvertTo-SecureString -AsPlainText $p)

Set-RDMSession $s

I was asking because as far as I can tell, this error message is displayed at only one place; when saving an attachment in a DVLS data source.
I don't have access to a 2022.3 version of DVLS.

Now that I think of it, what is the version of your DVLS instance?

Website shows 2022.3.6.0 in the lower left hand corner.

Any updates?

Not yet, I'm still working on reproducing the issue.

Thanks for the update

From what I can see, the error shouldn't prevent the password update process.
Can you validate the password has been updated anyway?

I can confirm that it didn't work.

Can it be switched to use an entry Id instead of a name?

Yes it is.
Replace this this line
$s = Get-RDMSession -Name ''
with this line
$s = Get-RDMSession -ID 'guid here'

This time it worked with the following error. How do we specify the complexity and length of the password?

PS /root> ./Devolutions.ps1
WARNING: This is the last major release supporting PowerShell 5.1. Starting with 2023.1, our PowerShell module will be named 'Devolutions.PowerShell and only support PS7.
WARNING: The type initializer for 'Devolutions.Cryptography.Native' threw an exception.\n  at Devolutions.Cryptography.Native.GenerateKeyNative(Byte[] key, UIntPtr keyLength)
  at Devolutions.Cryptography.Managed.GenerateKey(UInt32 keySize)
  at Devolutions.RemoteDesktopManager.Managers.OptionManager.DoLoadOptionEncryption()
  at Devolutions.RemoteDesktopManager.Managers.OptionManager.LoadOptions()
  at Devolutions.RemoteDesktopManager.Managers.ApplicationManager.InitializePhaseOne(String[] args)
  at RemoteDesktopManager.PowerShellModule.BaseCommand.BeginProcessing()
Get-RDMDataSource: /root/Devolutions.ps1:9
Line |
  9 |  $ds = Get-RDMDataSource -Name $dataSourceName
   |                 ~~~~~~~~~~~~~~~
   | Cannot validate argument on parameter 'Name'. The argument "devolutions-server" does not belong to the set "Local Data Source" specified
   | by the ValidateSet attribute. Supply an argument that is in the set and then try the command again.
Unable to save the document; error code:   

Weird that you are only starting to get this error now.
It usually means the native library used by our code cannot be loaded.

Do you perhaps have another PS instance still running that uses the module?

I ran it again and only got this output

PS /root> ./Devolutions.ps1                                               
Unable to save the document; error code:  

And in the DVLS web interface, the password didn't update, is that correct?

It did update after switching to ID

At least you can now update your passwords.

Unfortunately, the Unable to save the document error message seems to be caused by DVLS and I doubt a new 2022.3 update would be released.

How do I adjust the length and complexity of the generated password?

In the 2022.3 version of the module, only the session can configure how the password is generated.

We can adapt the script to temporarily set custom password complexity.

$dataSourceName = "devolutions-server"

# Get the data source info from RDM config file.
$ds = Get-RDMDataSource -Name $dataSourceName
if($ds -eq $null)
{
# If $ds is null, add a new data source and save it
	$ds_url = '' 
	$appSecret = '' 
	$appKey = ''
	$ds = New-RDMDataSource -DVLS -Name $dataSourceName -Server $ds_url -ScriptingTenantID $appKey -ScriptingApplicationPassword $appSecret -SetDataSource
}

# Set the dvls data source as the current data source
Set-RDMCurrentDataSource $ds

# Get the entry for which you want to generate a new the password, based on its name
$s = Get-RDMSession -ID 'sessions ID here'

# Backup current complexity settings, if you want to save the settings, remove this section and the reset
$PasswordComplexityId = $s.Security.PasswordComplexityId
$PasswordComplexityCustomMinimumLength = $s.Security.PasswordComplexityCustomMinimumLength
$PasswordComplexityCustomMinimumLowerCase = $s.Security.PasswordComplexityCustomMinimumLowerCase
$PasswordComplexityCustomMinimumSymbol = $s.Security.PasswordComplexityCustomMinimumSymbol
$PasswordComplexityCustomMinimumUpperCase = $s.Security.PasswordComplexityCustomMinimumUpperCase

# Modify entry password rules.
$s.Security.PasswordComplexityId = "<<Custom>>"
$s.Security.PasswordComplexityCustomMinimumLength = 14
$s.Security.PasswordComplexityCustomMinimumLowerCase = 5
$s.Security.PasswordComplexityCustomMinimumSymbol = 5
$s.Security.PasswordComplexityCustomMinimumUpperCase = 5

# Generate a new password
$p = New-RDMRandomPassword -Session $s
# Set the new password and save the modification
Set-RDMSessionPassword $s -Password (ConvertTo-SecureString -AsPlainText $p)

# Reset the complexity settings
$s.Security.PasswordComplexityId = $PasswordComplexityId
$s.Security.PasswordComplexityCustomMinimumLength = $PasswordComplexityCustomMinimumLength
$s.Security.PasswordComplexityCustomMinimumLowerCase = $PasswordComplexityCustomMinimumLowerCase
$s.Security.PasswordComplexityCustomMinimumSymbol = $PasswordComplexityCustomMinimumSymbol
$s.Security.PasswordComplexityCustomMinimumUpperCase = $PasswordComplexityCustomMinimumUpperCase

Set-RDMSession $s
# If you want to know the new password you can simply print it
$p

Is there a setting to request a random passphrase instead of random characters?

Hello dd5154,

The possibility to generate a passphrase in only possible in the Devolutions.PowerShell starting at the version 2023.1.0.3. As an alternative, you could generate a prounounceable password with this command:

New-RDMRandomPassword -Mode Pronounceable -CaseMode MixedCase -MinimumLength 12 -MorePronounceable

• MixedCase: every pronounceable part of the password will start with a capital letter
• MorePronounceable: To make the password more pronounceable, it will avoid double consonants.

If it is not to your statisfaction, I will take a look if something else can be done.

I get this when I add it to the existing script

New-RDMRandomPassword: /root/Devolutions.ps1:37                                     
Line |                                                          
 37 |  $p = New-RDMRandomPassword -Mode Pronounceable -Session $s                            
   |    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                            
   | Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided.
ConvertTo-SecureString: /root/Devolutions.ps1:45                                     
Line |                                                          
 45 |  … SessionPassword $s -Password (ConvertTo-SecureString -AsPlainText $p)                     
   |                                    ~~                      
   | Cannot bind argument to parameter 'String' because it is null.  

When using the parameter Mode, you must not use the parameter Session. With the value Pronounceable, two parameters are required: CaseMode and MinimalLength.

New-RDMRandomPassword -Mode Pronounceable -CaseMode MixedCase -MinimumLength 12

Here are the parameters that can be used with Mode Pronounceable:

• CaseMode
  • LowerCase: only lower case letters
  • UpperCase: only upper case letters
  • MixedCase: First letter of each pronounceable part will be capitalized.
  • RandomCase: letters are randomly lower or upper case
  • RandomMixedCase: A random set of letter of each pronounceable part will be capitalized.
• MinimalLength
  • Number of characters in the password
• IncludeDigit
  • Switch to include digits in the password
• MorePronounceable
  • To make the password more pronounceable, it will avoid double consonants
• IncludeCharacter
  • A string of additional characters to add to the allowed characters

How would I save the password without specifying session?

Sorry, I meant for the generation of the password. The call to New-RDMRandomPassword must not call -Session parameter because -Mode is used.
Here is the reworked script:

$dataSourceName = "devolutions-server"

# Get the data source info from RDM config file.
$ds = Get-RDMDataSource -Name $dataSourceName
if($ds -eq $null)
{
# If $ds is null, add a new data source and save it
	$ds_url = '' 
	$appSecret = '' 
	$appKey = ''
	$ds = New-RDMDataSource -DVLS -Name $dataSourceName -Server $ds_url -ScriptingTenantID $appKey -ScriptingApplicationPassword $appSecret -SetDataSource
}

# Set the dvls data source as the current data source
Set-RDMCurrentDataSource $ds

# Get the entry for which you want to generate a new the password, based on its name
$s = Get-RDMSession -ID 'sessions ID here'

# Generate a new password with 12 characters
$p = New-RDMRandomPassword -Mode Pronounceable -CaseMode MixedCase -MinimumLength 12
# Set the new password and save the modification
Set-RDMSessionPassword $s -Password (ConvertTo-SecureString -AsPlainText $p)

Set-RDMSession $s
# If you want to know the new password you can simply print it
$p

There is no need to modify session complexity password because the password is not generated based on those parameters.

hi all

the rdm cmdlet also doesnt work for me. if im honest, i also dont like the very slow rdm cmdlets.

instead this dvls snipped works like a charm and its very performant:
Change a password (devolutions.net)

$Entry = (Get-DSEntry -EntryId $EntryId).Body.data
$Entry.data.passwordItem = @{
    hasSensitiveData = $false
    sensitiveData = $YourNewPassword
}        
Update-DSEntryBase (ConvertTo-Json $Entry -Depth 10)

i hope this helps!

best regards,
andreas