PSCredential object used in automatic Full User Profile Synchronization

As part of governance plan, full user profile synchronization may require to be run automatically weekly in your organization. While there are large number of great articles on the Internet providing you magical scripts to automatically trigger full synchronization process with Windows Server Task Scheduler, they still miss a few things you may not have paid attention to.

See an example below that supports you in full synchronization:

The missing case is if User Profile Synchronization Service is not started, this script doesn’t work. You would need the if-else function to check the status of User Profile Synchronization Service then start it.

Ironically the account you use is Farm account and its password displaying as plain-text format. This is highly risky if the script is accessible to someone (he simply needs to open Task Scheduler to trace location of the script).

To really mask the password, you can implement PSCredential to create SecureString object. First, enter the following command then type your password.

The password is encrypted to be stored in B:pwd.txt. If you want to see it, use the following command:

If you set the variable of your password is encrypted string, User Profile Synchronization service will not accept it once it’s triggered to be run. What we need to do is convert the encrypted password to basic string (BSTR). See the code snippet below:

Below is the full code snippet you can use along with Task Scheduler to run Full User Profile Synchronization.

The code below is to check the full synchronization function will not be executed until the User Profile Synchronization service is already started.

I would like to thank HungT – my great colleague who supported me to make this script.



Leave a Reply

© 2018 The Soldier of Fortune.