How to programatically add mapped network passwords (WinXP)?

Question

In WinXP (SP2) you can store mapped network passwords...

Start->Control Panel->User Accounts->Pick one then choose "Manage my network passwords" from Related Tasks.

I normally have about 25-30 servers mapped this way to a few different accounts/domains. The problem is that at some point during our policy updates they get wiped out and it's a real PITA to add them all back again.

Does anyone know how to add them programatically using some sort of script?

Just to clarify, the end goal is not to map drives, it's to actually create the entries in that section. This allows us to use Windows authentication for connecting to our servers (via Dameware, SSMS etc.).

Addendum:

Mark's CredWrite tip led me here...

pinvoke.net -- CredWrite (advapi32)

Which in turn led me here...

Peer Channel Blog -- Application Password Security

Both have proved very helpful.

Answer 1

NET USE(command) and WshNetwork.MapNetworkDrive(windows scripting host) are two common ways of scripting the mapping of network drives, both allow you to specify user and password.
I don't know how this would work/not work with stored passwords as you said other than knowing that if you leave the user option blank it will attempt to use the credentials of the current user.

Answer 2

• cmdkey.exe is the CLI version of the tool - but I believe it's only included on Win2003+. I'd suspect a copy to XP would work - but may violate your EULA.
• net use also has a savecred option, if you're mapping drives
• According to this fairly detailed info, the CredMgr stores it's database in 2 locations. It may be enough to just back up these files:
  • %APPDATA%\Microsoft\Credentials\%UserSID%\Credentials
  • %USERPROFILE%\Local Settings\Application Data\Microsoft\Credentials\%UserSID%\Credentials
• There's an API to read the credentials, CredEnumerate - but no immediate obvious way to add your own. A couple of candidates:
  • CredWrite takes a normal CREDENTIAL, but nothing to indicate storing past the current session.
  • CredUIStoreSSOCredW takes a bPersist parameter - but specifies a "realm" instead of a server or network location.

Edit: D'oh. I missed the PERSIST member of CREDENTIAL. It can be one of the following values:

• CRED_PERSIST_SESSION: The credential persists for the life of the logon session. It will not be visible to other logon sessions of this same user. It will not exist after this user logs off and back on.
• CRED_PERSIST_LOCAL_MACHINE: The credential persists for all subsequent logon sessions on this same computer. It is visible to other logon sessions of this same user on this same computer and not visible to logon sessions for this user on other computers. (This is what's stored into the Local Settings file)
• CRED_PERSIST_ENTERPRISE: The credential persists for all subsequent logon sessions on this same computer. It is visible to other logon sessions of this same user on this same computer and to logon sessions for this user on other computers. This option can be implemented as locally persisted credential if the administrator or user configures the user account to not have roam-able state. For instance, if the user has no roaming profile, the credential will only persist locally. (This is what's stored into AppData)

It looks like CredWrite is the API you want.