Introduction: Powershell workflow activities are executed by the FIM Service account by default. There could be a situation where we want to run the Powershell script as another account – which means we need to save these credentials somewhere, preferably NOT in plaintext. Here I’ll save the ADMA account password, since we’ll use it to execute Update-Recipient on the Exchange Server (and it’s a member of Exchange Organization Administrators)
Create a secure password file – Here I’ve chosen to save the passwords in a directory I already created c:\SecurePW\
- Open PowerShell on the FIM Service server. IMPORTANT: you must run this as the FIMService account, or the password will not be read successfully when the workflow runs.
- PS C:\> read-host -AsSecureString | ConvertFrom-SecureString | out-File C:\SecurePW\adma.txt
- Type the ADMA account password
Take a look at the file and notice it’s NOT stored as plain text, but as a secure string (324 characters).
Read in the encrypted password in your PS script – This is most easily demonstrated by an example. Here we’ll do a remote PS session to the CAS server and execute Update-Recipient on the target user.
Here the Named Paremeter $TargetIdentity is defined in the activity as [//Target/MailNickname], one of the valid parameter values for Update-Recipient. Of course we could have used the built-in Exchange Provisioning via dropdown in the ADMA, but what fun would that be?