User permits on cmdkey to execute remotely

Question

Ive made an script to re-add credentials on windows, the script locally works fine, but when i try to execute via Invoke-Command the script just executes itself and does nothing or via Enter-Pssesion and executing it manually the options of the script popup but still,the data that should pass form cmdkey /list doesnt get stored on the txts so the script does nothing. I understand that if use a credential(user A) in INVCOMM/ENTPSS i cant see the credentials of the user B that is currently logged in the pc.

Ive tried connecting via Enter-pssesion (user A) and execute the command cmdkey /list alone but the result of the command is "i dont have stored credentials " even tho im logged locally on the pc as user A and i see the 2 credentials stored. If i execute cmdkey /delete it gives me the error "a specified login session does not exist", /add says that i cannot store the credentials through this startup session.

Im 90% sure that its my user permits (im admin "user A") but i dont know where to start to check for it.

$salidacom = cmdkey /list

#FILTRAMOS POR DESTINO/USUARIO
$salidacom | Select-String "Destino" | Out-File "C:\InC\p1.txt" -Force
$salidacom | Select-String "Usuario" | Out-File "C:\InC\p2.txt" -Force
    
#FILTRAMOS LA SALIDA SERVIDORES
$SERVI1 = Get-Content -Path "C:\InC\p1.txt" | Where-Object { $_ -match "X.X.X.X" }
$SERVI2 = Get-Content -Path "C:\InC\p1.txt" | Where-Object { $_ -match "Y.Y.Y.Y" }

Write-Host "$SERVI1 $SERVI2"

$TXTUSU = "C:\InC\p3.txt"
$USUSRAW = Get-Content -Path "C:\InC\p2.txt"
#FILTRAMOS SOLO LO DE LA DE DERECHA DE USUARIO:
$usufilt = 'Usuario: (.+)'

#ARRAY PARA GUARDAR LOS USUARIOS
$USUCORT = @()

foreach ($linea in $USUSRAW) {
    #MIRAMOS LINEA POR LINEA PARA SACAR CON EL FILTRO
    if ($linea -match $usufilt) {
        #SE SACAN LOS USUS
        $USUTOT = $matches[1]
        #METEMOS LOS USUARIOS AL ARRAY PARA QUE NOS CUENTE COMO VALORES PARA EXTRAERLO
        $USUCORT += $USUTOT

    }
}

$USUCORT | Out-File -FilePath $TXTUSU -Force

#FILTRAMOS LOS USU DE CREDENCIALES ESTABLECEMOS UNA VARIABLE POR USUARIO

$USUCORT = Get-Content -Path "C:\InC\p3.txt" | Where-Object { $_ -match "XXXX.COM\\*" }
$contador = 1
foreach($USUSOLO IN $USUCORT){
    New-Variable -Name "Usu$contador" -Value $USUSOLO -Force
$contador++
}

Write-Host "$Usu1 $Usu2"

Start-Sleep -Seconds 1

#ELIM CREDENCIAL

$resp = Read-Host "¿Quieres eliminar la credencial(si/no)?"

if ($resp -eq "Si" -or $resp -eq "si") {
    $serv = Read-host "Dime cual quieres quitar. 1=X.X.X.X 2=Y.Y.Y.Y"
        if ($serv -eq "1"){
            $servidor = "X.X.X.X"
            cmdkey /delete:$servidor
            Start-Sleep -Seconds 2
        }
-----------

#AGREG CREDENCIAL

$resp = Read-Host "¿Quieres agregar una credencial(si/no)?"

if ($resp -eq "Si" -or $resp -eq "si") {
    $serv = Read-host "Dime cual de los servidores es el que quieres añadir. 1=X.X.X.X 2=Y.Y.Y.Y"

#PARA EL X.X.X.X

    if ($serv -eq "1"){
        $servidor1 = "X.X.X.X"
            $opc = Read-Host "¿Quieres usar los usuarios que tenia (T) o nuevos (N)?"

            if ($opc -eq "T" -or $opc -eq "t"){
                $usuexist = Read-Host = "Te muestro las credenciales existentes (1)$SERVI1 (2)$SERVI2 | $USUCORT "
                    if ($usuexist -eq 1 ){    
                    $pass = Read-Host -Prompt "Dime la contrasena" -AsSecureString
                    cmdkey /add:$servidor1 /user:$Usu1 /pass:$pass
                    
                    Start-Sleep -Seconds 2
                    }
----------

Answer 1

The problem appears not to be related to permissions or privileges, but to the fact that cmdkey.exe currently does not to work from a session that has no window station associated with it (loosely speaking, a session without a desktop), which indeed applies to PowerShell remoting sessions.

• This comment in the GitHub repo for the Azure documentation suggests that there is no good technical reason for cmdkey.exe to require this and that it may change in the future, but the requirement is still in place as of Windows 11 22H2.
  The workarounds suggested in other comments on the same issue didn't work for me.

---

Potential alternative / workaround:

As an alternative to cmdkey.exe, consider switching to the Microsoft.PowerShell.SecretManagement module with the Microsoft.PowerShell.SecretStore with the local-file-system vault extension module, which can be used via PowerShell remoting:

• Note that - unlike cmdkey.exe - this storage mechanism does not integrate with Windows Credential Manager.

• It furthermore assumes that these module are installed on the target machine(s), though it is possible to install them remotely; e.g.:

$computer = 'computer1' # Specify the target computer here.

Invoke-Command -ComputerName $computer { 

  # Install the modules, if needed
  if (-not (Get-Module -List Microsoft.PowerShell.SecretStore)) {
    Install-Module -ErrorAction Stop -Scope AllUsers Microsoft.PowerShell.SecretManagement, Microsoft.PowerShell.SecretStore
  }

  # If not already registered, register a local vault and make it the default vault
  $localVault = 'LocalVault'
  if (-not (Get-SecretVault -ErrorAction Ignore $localVault)) {
    # This will prompt for a password for the vault as a whole.
    Register-SecretVault -ErrorAction Stop -Name $localVault -ModuleName Microsoft.PowerShell.SecretStore -DefaultVault
  } else {
    # Unlock the local vault:
    # When prompted, provide the previously chosen password.
    Unlock-SecretStore -ErrorAction Stop
  }

  # Now you can use Set-Secret to store a secret in the local vault
  # that you can later retrieve with Get-Secret; e.g.:
  Set-Secret server1 (Read-Host -AsSecureString 'Enter password for server1')

}