Almost every admin I know enable command line support in WinPE. What they probably don’t know is that it is possible to display the network access account password in clear text. This is by design since WinPE is not member of a domain and need to use the password to access resources in SCCM. This password is just well hidden. Since Microsoft has typed the text “for testing only” I feel that they know this and the probably would not recommend to enable Command line support to a Boot image for production.
Anyway, let’s have a look at how we can retrieve that password. First we need this script to dump the variable that we are interested in:
Set Env = CreateObject("Microsoft.SMS.TSEnvironment") For Each ts in Env.GetVariables() If ts = "_SMSTSReserved2" Then wscript.echo "Password for Network Access Account is: " & Env(ts) End If Next
(I know that the deployment guys has a script that dumps every variable)
NOTE: _SMSTSReserved1 is the username, and _SMSTSReserved2 is the password.
Now, you could for example start WinPE and Hit the F8 button to get into the dos shell, and from there start notepad and type the text in and save it to a .VBS file and the execute it with cscript. But I am lazy so I just use my old friend net use to map a share using this syntax:
net use * \\server\corpshare /user:labdomain\administrator
And the copy the script file that I prepared in advance to my X: in WinPE by using:
copy z:\Recoverpassword.vbs x:\
Before you can execute the script you have to start a task sequence. This is because the script is depending on the TSEnvironment to retrieve the password/variable.
So there it is, a quick guide on how to display the password.