# I hope I'm placing this in the correct forum/format. I searched (in vain) all over the communities for a way to do this.
# There were lots of others looking also (with no answers), so I wanted to share now that I finally have it working
# The following PS preCreate sript will set user object password utilizing a secure string.
# This is useful if multiple user objects will be created with the same password, but the password should not be visible in clear text.
function onPreCreate($Request)
{
if ($Request.Class -ne "user") { return }
$pwd = Get-Content \\ServerName\ShareName\pwd.txt #pwd.txt contains a secure string, not clear text
$pwdSecureString = ConvertTo-SecureString -string $pwd
$BTSRPass = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pwdSecureString)
$Request.Put("edsaPassword", [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BTSRPass))
}
# IMPORTANT: The ConvertTo-SecureString cmdlet encrypts data using the Windows standard Data Protection API. This ensures that only the
# user account which creates a scure string can properly decrypt its contents. For our purposes, this means one must create pwd.txt
# using the ActiveRoles Server service account. If one does not have the service account password, a workaround is to use a preCreate
# script to create pwd.txt. This only needs to be done once. Pwd.txt for use going forward and the script cotnaining clear text password erased.
# Example:
$pwd = "P@ssw0rd1!" | ConvertTo-SecureString -AsPlainText -Force
$pwd | ConvertFrom-SecureString | Out-File \\ServerName\ShareName\pwd.txt