Passing SecureString to Script in 4.0.2


I have a Script




New-ADUser -CannotChangePassword $True -PasswordNeverExpires $True -GivenName "$UserName" -Name "$UserName" -SamAccountName "$UserName" -Path "..." -Description "$Description" -Credential (Get-GMSACredential ...) -Enabled $True **-AccountPassword $Password** -UserPrincipalName "$UserName@..." -DisplayName "$UserName"

If I run this manually, it works.

If I run it using programatically from a UDStepper

function New-ESASMTPserviceAccount {
param (
    [Parameter(Mandatory)] [string]$Username,
    [Parameter(Mandatory)] [string]$Description,
    [Parameter(Mandatory)] [SecureString]$Password
Invoke-PSUScript $Script -username $Username -Description $Description -Password $Password -Integrated | Tee-Object -Variable job | Wait-PSUJob -Integrated
New-ESASMTPserviceAccount -Username $Context.Context.txtStep1Username -Description $Context.Context.txtStep1Description -Password (ConvertTo-SecureString -String $Context.Context.txtStep1Password -AsPlainText -Force)

I get:
Unable to cast object of type ‘System.Security.SecureString’ to type ‘System.String’. as en error on the script job.

If I change all the [SecureString]$Password to [string]$Password parameters in the script and function, pass the password in plaintext, and instead do “-Password (ConvertTo-SecureString -String $Password -AsPlainText -Force)” on new-ADUser is works as expected.

I’m not sure how to diagnose this, it feels like PSU doesnt want to accept a securestring as a parameter programatically on a script.

I’m pretty sure that this worked on 3.8.12 :sweat_smile:

Indeed, installed a new server with 3.8.12, and this works as expected.

on 3.8.12 however, manual invocation is not possible, as the password field is just plain text - on 4.0.2 the password field is a password field.

I can reproduce this. Will be fixed in 4.0.3.

1 Like