Export-DbaCredential

Synopsis

Exports SQL Server credentials to executable T-SQL CREATE CREDENTIAL scripts

Description

Exports SQL Server credentials to T-SQL files containing CREATE CREDENTIAL statements that can recreate the credentials on another instance. By default, this includes decrypted passwords, making it perfect for migration scenarios where you need to move credentials between servers.

The function generates executable T-SQL scripts that DBAs can run to recreate credentials during migrations, disaster recovery, or when setting up new environments. When passwords are included, the function requires sysadmin privileges and remote Windows registry access to decrypt the stored secrets.

Use the ExcludePassword parameter to export credential definitions without sensitive data for documentation or security-conscious scenarios.

Syntax

Export-DbaCredential
    [[-SqlInstance] <DbaInstanceParameter[]>]
    [[-Identity] <String[]>]
    [[-SqlCredential] <PSCredential>]
    [[-Credential] <PSCredential>]
    [[-Path] <String>]
    [[-FilePath] <String>]
    [-ExcludePassword]
    [-Append]
    [[-InputObject] <Credential[]>]
    [-EnableException]
    [<CommonParameters>]

Examples

Example: 1

PS C:\> Export-DbaCredential -SqlInstance sql2017 -Path C:\temp\cred.sql

Exports credentials, including passwords, from sql2017 to the file C:\temp\cred.sql

Optional Parameters

-SqlInstance

The target SQL Server instance or instances.

-Identity

Specifies which credential names to export by filtering on the Identity property. Accepts an array of credential names.
Use this to export specific credentials instead of all credentials, particularly useful when migrating only certain application or service accounts.

-SqlCredential

Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.

-Credential

Login to the target OS using alternative credentials. Accepts credential objects (Get-Credential)

-Path

Specifies the directory where the exported T-SQL script file will be saved. Defaults to the configured DbatoolsExport path.
Use this when you want to control where credential scripts are stored for organization or compliance requirements.

-FilePath

Specifies the complete file path and name for the exported T-SQL script. Overrides the Path parameter when specified.
Use this when you need precise control over the output file name and location, especially for automated processes.

-ExcludePassword

Exports credential definitions without the actual password values, replacing them with placeholder text.
Use this for documentation purposes or when you need credential structure without sensitive data for security reviews.

-Append

Adds the exported credential scripts to an existing file instead of overwriting it.
Use this when consolidating credentials from multiple instances into a single deployment script.

-InputObject

Accepts credential objects piped from Get-DbaCredential, allowing for advanced filtering and processing scenarios.
Use this in pipeline operations when you need to filter or process credentials before exporting them.

-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.