Export-DbaCredential: Open DAC unless ExcludePassword used (#10112)

andreasjordan · web-flow · commit 6449a955ca62 · 2026-01-30T08:11:26.000+01:00
diff --git a/public/Export-DbaCredential.ps1 b/public/Export-DbaCredential.ps1
@@ -20,9 +20,6 @@ function Export-DbaCredential {
 
         For MFA support, please use Connect-DbaInstance.
 
-    .PARAMETER Credential
-        Login to the target OS using alternative credentials. Accepts credential objects (Get-Credential)
-
     .PARAMETER Path
         Specifies the directory where the exported T-SQL script file will be saved. Defaults to the configured DbatoolsExport path.
         Use this when you want to control where credential scripts are stored for organization or compliance requirements.
@@ -35,10 +32,6 @@ function Export-DbaCredential {
         Specifies which credential names to export by filtering on the Identity property. Accepts an array of credential names.
         Use this to export specific credentials instead of all credentials, particularly useful when migrating only certain application or service accounts.
 
-    .PARAMETER InputObject
-        Accepts credential objects piped from Get-DbaCredential, allowing for advanced filtering and processing scenarios.
-        Use this in pipeline operations when you need to filter or process credentials before exporting them.
-
     .PARAMETER ExcludePassword
         Exports credential definitions without the actual password values, replacing them with placeholder text.
         Use this for documentation purposes or when you need credential structure without sensitive data for security reviews.
@@ -47,6 +40,10 @@ function Export-DbaCredential {
         Adds the exported credential scripts to an existing file instead of overwriting it.
         Use this when consolidating credentials from multiple instances into a single deployment script.
 
+    .PARAMETER Passthru
+        Returns the generated T-SQL script to the PowerShell pipeline instead of saving to file.
+        Use this to capture the script in a variable, pipe to other commands, or display directly in the console.
+
     .PARAMETER EnableException
         By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
         This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
@@ -84,23 +81,18 @@ function Export-DbaCredential {
     [CmdletBinding()]
     param (
         [DbaInstanceParameter[]]$SqlInstance,
-        [string[]]$Identity,
         [PSCredential]$SqlCredential,
-        [PSCredential]$Credential,
         [string]$Path = (Get-DbatoolsConfigValue -FullName 'Path.DbatoolsExport'),
         [Alias("OutFile", "FileName")]
         [string]$FilePath,
+        [string[]]$Identity,
         [switch]$ExcludePassword,
         [switch]$Append,
-        [Parameter(ValueFromPipeline)]
-        [Microsoft.SqlServer.Management.Smo.Credential[]]$InputObject,
+        [switch]$Passthru,
         [switch]$EnableException
     )
     begin {
         $null = Test-ExportDirectory -Path $Path
-        $serverArray = @()
-        $credentialArray = @{ }
-        $credentialCollection = New-Object System.Collections.ArrayList
     }
     process {
         if (Test-FunctionInterrupt) { return }
@@ -110,137 +102,78 @@ function Export-DbaCredential {
             return
         }
 
-        if (-not $InputObject -and -not $SqlInstance) {
-            Stop-Function -Message "You must pipe in a Credential or specify a SqlInstance"
-            return
-        }
-
-        if (Test-Bound -ParameterName SqlInstance) {
-            foreach ($instance in $SqlInstance) {
-                try {
-                    try {
-                        $server = Connect-DbaInstance -SqlInstance $instance -SqlCredential $SqlCredential -MinimumVersion 9
-                    } catch {
-                        Stop-Function -Message "Failure" -Category ConnectionError -ErrorRecord $_ -Target $instance -Continue
-                    }
-
-                    $serverCreds = $server.Credentials
-                    if (Test-Bound -ParameterName Identity) {
-                        $serverCreds = $serverCreds | Where-Object Identity -In $Identity
-                    }
-
-                    $InputObject += $serverCreds
-                } catch {
-                    Stop-Function -Message "Error occurred while establishing connection to $instance" -Category ConnectionError -ErrorRecord $_ -Target $instance -Continue
+        foreach ($instance in $SqlInstance) {
+            try {
+                if ($ExcludePassword) {
+                    Write-Message -Level Verbose -Message "Opening normal connection because we don't need the passwords."
+                    $server = Connect-DbaInstance -SqlInstance $instance -SqlCredential $SqlCredential -MinimumVersion 9
+                } else {
+                    Write-Message -Level Verbose -Message "Opening dedicated admin connection for password retrieval."
+                    $server = Connect-DbaInstance -SqlInstance $instance -SqlCredential $SqlCredential -MinimumVersion 9 -DedicatedAdminConnection -WarningAction SilentlyContinue
                 }
+            } catch {
+                Stop-Function -Message "Failure" -Category ConnectionError -ErrorRecord $_ -Target $instance -Continue
             }
-        }
-
-        foreach ($input in $InputObject) {
-            $server = $input.Parent
-            $instance = $server.DomainInstanceName
 
-            if ($serverArray -notcontains $instance) {
-                try {
-                    if ($ExcludePassword) {
-                        $serverCreds = $server.Credentials
-                        $creds = New-Object System.Collections.ArrayList
-
-                        foreach ($cred in $server.Credentials) {
-                            $credObject = [PSCustomObject]@{
-                                Name            = $cred.Name
-                                Quotename       = $server.Query("SELECT QUOTENAME('$($cred.Name.Replace("'", "''"))') AS Quotename").Quotename
-                                Identity        = $cred.Identity.ToString()
-                                Password        = ''
-                                MappedClassType = $cred.MappedClassType
-                                ProviderName    = $cred.ProviderName
-                            }
-                            $creds.Add($credObject) | Out-Null
-                        }
-                        $creds | Add-Member -MemberType NoteProperty -Name 'SqlInstance' -Value $instance
-                        $creds | Add-Member -MemberType NoteProperty -Name 'ExcludePassword' -Value $ExcludePassword
-                        $credentialCollection.Add($credObject) | Out-Null
-                    } else {
-                        if (-not (Test-SqlSa -SqlInstance $server)) {
-                            Stop-Function -Message "Not a sysadmin on $instance. Quitting." -Target $instance -Continue
-                        }
-
-                        Write-Message -Level Verbose -Message "Getting FullComputerName name for $instance."
-                        $fullComputerName = Resolve-DbaComputerName -ComputerName $server -Credential $Credential
-
-                        Write-Message -Level Verbose -Message "Checking if Remote Registry is enabled on $instance."
-                        try {
-                            Invoke-Command2 -Raw -Credential $Credential -ComputerName $fullComputerName -ScriptBlock { Get-ItemProperty -Path "HKLM:\SOFTWARE\" } -ErrorAction Stop
-                        } catch {
-                            Stop-Function -Message "Can't connect to registry on $instance." -Target $fullComputerName -ErrorRecord $_
-                            return
-                        }
-
-                        $creds = Get-DecryptedObject -SqlInstance $server -Type Credential
-                        Write-Message -Level Verbose -Message "Adding Members"
-                        $creds | Add-Member -MemberType NoteProperty -Name 'SqlInstance' -Value $instance
-                        $creds | Add-Member -MemberType NoteProperty -Name 'ExcludePassword' -Value $ExcludePassword
-                        $credentialCollection.Add($creds) | Out-Null
+            if ($ExcludePassword) {
+                $credentials = foreach ($cred in $server.Credentials) {
+                    [PSCustomObject]@{
+                        Name            = $cred.Name
+                        Quotename       = $server.Query("SELECT QUOTENAME('$($cred.Name.Replace("'", "''"))') AS Quotename").Quotename
+                        Identity        = $cred.Identity.ToString()
+                        Password        = '<EnterStrongPasswordHere>'
+                        MappedClassType = $cred.MappedClassType
+                        ProviderName    = $cred.ProviderName
                     }
-                } catch {
-                    Stop-Function -Continue -Message "Failure" -ErrorRecord $_
                 }
-
-                $serverArray += $instance
-
-                $key = $instance + '::' + $input.Name
-                $credentialArray.add( $key, $true )
             } else {
-                $key = $instance + '::' + $input.Name
-                $credentialArray.add( $key, $true )
+                $credentials = Get-DecryptedObject -SqlInstance $server -Type Credential
             }
-        }
-    }
-
-    end {
-        $sql = @()
-        foreach ($cred in $credentialCollection) {
-            Write-Message -Level Verbose -Message "Credentials in object = $($cred.Count)"
 
-            foreach ($currentCred in $creds) {
-                $FilePath = Get-ExportFilePath -Path $PSBoundParameters.Path -FilePath $PSBoundParameters.FilePath -ServerName $currentCred.SqlInstance -Type Sql
+            if ($Identity) {
+                $credentials = $credentials | Where-Object Identity -in $Identity
+            }
 
-                $key = $currentCred.SqlInstance + '::' + $currentCred.Name
-                if ( $credentialArray.ContainsKey($key) ) {
-                    $quotename = $currentCred.Quotename
-                    $identity = $currentCred.Identity.Replace("'", "''")
+            if (-not $credentials) {
+                Write-Message -Level Verbose -Message "Nothing to export"
+                continue
+            }
 
-                    if ($currentCred.MappedClassType -like 'Cryptographic*') {
-                        $providerName = $currentCred.ProviderName
-                        $cryptoSql = " FOR CRYPTOGRAPHIC PROVIDER $providerName"
-                    } else {
-                        $cryptoSql = ""
-                    }
+            $FilePath = Get-ExportFilePath -Path $PSBoundParameters.Path -FilePath $PSBoundParameters.FilePath -Type sql -ServerName $instance
 
-                    if ($currentCred.ExcludePassword) {
-                        $sql += "CREATE CREDENTIAL $quotename WITH IDENTITY = N'$identity', SECRET = N'<EnterStrongPasswordHere>'" + $cryptoSql
-                    } else {
-                        $password = $currentCred.Password.Replace("'", "''")
-                        $sql += "CREATE CREDENTIAL $quotename WITH IDENTITY = N'$identity', SECRET = N'$password'" + $cryptoSql
+            $sql = @()
 
+            foreach ($cred in $credentials) {
+                $quotename = $cred.Quotename
+                $identity = $cred.Identity.Replace("'", "''")
+                $password = $cred.Password.Replace("'", "''")
+                $cryptoSql = ""
+                if ($cred.MappedClassType -like 'Cryptographic*') {
+                    $providerName = $cred.ProviderName
+                    $cryptoSql = " FOR CRYPTOGRAPHIC PROVIDER $providerName"
+                }
+                $sql += "CREATE CREDENTIAL $quotename WITH IDENTITY = N'$identity', SECRET = N'$password'" + $cryptoSql
+            }
 
+            if ($Passthru) {
+                $sql
+            } else {
+                try {
+                    if ($Append) {
+                        Add-Content -Path $FilePath -Value $sql
+                    } else {
+                        Set-Content -Path $FilePath -Value $sql
                     }
-
-                    Write-Message -Level Verbose -Message "Created Script for $quotename"
+                    Get-ChildItem -Path $FilePath
+                } catch {
+                    Stop-Function -Message "Can't write to $FilePath" -ErrorRecord $_ -Continue
                 }
             }
 
-            try {
-                if ($Append) {
-                    Add-Content -Path $FilePath -Value $sql
-                } else {
-                    Set-Content -Path $FilePath -Value $sql
-                }
-            } catch {
-                Stop-Function -Message "Can't write to $FilePath" -ErrorRecord $_ -Continue
+            # Disconnect DAC connection if it was opened
+            if (-not $ExcludePassword) {
+                $null = $server | Disconnect-DbaInstance -WhatIf:$false
             }
-            Get-ChildItem -Path $FilePath
-            Write-Message -Level Verbose -Message "Credentials exported to $FilePath"
         }
     }
 }
diff --git a/public/Export-DbaInstance.ps1 b/public/Export-DbaInstance.ps1
@@ -264,7 +264,7 @@ function Export-DbaInstance {
             if ($Exclude -notcontains 'Credentials') {
                 Write-Message -Level Verbose -Message "Exporting SQL credentials"
                 Write-ProgressHelper -StepNumber ($stepCounter++) -Message "Exporting SQL credentials"
-                $null = Export-DbaCredential -SqlInstance $server -Credential $Credential -FilePath "$exportPath\credentials.sql" -ExcludePassword:$ExcludePassword
+                $null = Export-DbaCredential -SqlInstance $server -FilePath "$exportPath\credentials.sql" -ExcludePassword:$ExcludePassword
                 Get-ChildItem -ErrorAction Ignore -Path "$exportPath\credentials.sql"
             }
 
diff --git a/tests/Export-DbaCredential.Tests.ps1 b/tests/Export-DbaCredential.Tests.ps1
@@ -12,14 +12,13 @@ Describe $CommandName -Tag UnitTests {
             $expectedParameters = $TestConfig.CommonParameters
             $expectedParameters += @(
                 "SqlInstance",
-                "Identity",
                 "SqlCredential",
-                "Credential",
                 "Path",
                 "FilePath",
+                "Identity",
                 "ExcludePassword",
                 "Append",
-                "InputObject",
+                "Passthru",
                 "EnableException"
             )
             Compare-Object -ReferenceObject $expectedParameters -DifferenceObject $hasParameters | Should -BeNullOrEmpty

Original file line number	Diff line number	Diff line change
`@@ -264,7 +264,7 @@ function Export-DbaInstance {`
`264`	`264`	`if ($Exclude -notcontains 'Credentials') {`
`265`	`265`	`Write-Message -Level Verbose -Message "Exporting SQL credentials"`
`266`	`266`	`Write-ProgressHelper -StepNumber ($stepCounter++) -Message "Exporting SQL credentials"`
`267`		`- $null = Export-DbaCredential -SqlInstance $server -Credential $Credential -FilePath "$exportPath\credentials.sql" -ExcludePassword:$ExcludePassword`
	`267`	`+ $null = Export-DbaCredential -SqlInstance $server -FilePath "$exportPath\credentials.sql" -ExcludePassword:$ExcludePassword`
`268`	`268`	`Get-ChildItem -ErrorAction Ignore -Path "$exportPath\credentials.sql"`
`269`	`269`	`}`
`270`	`270`