This repository collects example custom launcher configurations for Delinea Secret Server, contributed by the Delinea Professional Services team. Each example shows how to wire up a third-party tool — RDP clients, terminal emulators, database tools, web browsers, etc. — to launch with credentials managed by Secret Server.
Important
No implied support. These examples are offered as-is for reference. They are not part of the supported Secret Server product, and Delinea provides no warranty or implied support for them. Test in a non-production environment before using.
Each subdirectory under Launchers/ covers one tool or scenario. A typical example documents:
- The Secret Server launcher configuration: process name, process arguments, and any non-default checkboxes (Run Process As Secret Credentials, Load User Profile, Use Operating System Shell, Wrap custom parameters with quotation marks).
- The associated secret template field mappings (Domain, Username, Password, plus any custom fields).
- Any helper scripts (PowerShell, batch, AutoIt) that need to be saved alongside.
To create a launcher in Secret Server:
- Sign in as a user with Administer Configuration permission.
- Go to Admin → Secret Templates → Configure Launchers (or search for Launchers).
- Click New (or Create) and copy the values from the relevant example below.
- Edit the secret template you want the launcher to apply to, click Configure Launcher, then Add New Launcher, and map the launcher's parameters to template fields.
See Creating Custom Launchers in the official Delinea documentation for the full set of fields on the launcher page.
Variable references like $USERNAME, $PASSWORD, $MACHINE, $DOMAIN, $URL, $PORT, etc. are Secret Server placeholders that are substituted from the secret at launch time. $user input (or Additional Prompt Field Name) prompts the user at launch.
Several launchers in this repo are Batch file launchers — Secret Server uploads a .bat you provide, then runs it with the secret's variables passed as positional arguments (%1, %2, …) at launch time. This is different from a Process launcher, which runs an existing .exe directly.
To create a batch file launcher in Secret Server (full reference: Creating Custom Launchers):
- Admin → Secret Templates → Launchers tab → Create.
- Set Launcher Type to Batch file.
- Give it a Launcher Name (e.g.
Batch Launcher - Mapped Drive). - Leave State as Enabled.
- Configure tracking/recording as needed (Track multiple windows, Record additional processes, Wrap custom parameters with quotation marks).
- Under Windows settings:
- Batch file: upload the
.batfrom the relevant launcher folder (e.g.Launchers/MappedDrives/netuse-letter.bat). - Process arguments: the positional arguments to pass to the
.bat, in order — these become%1,%2, … inside the script. Each launcher's README in this repo documents the expected order. Example:$USERNAME $MACHINE $NOTES $PRIVATEKEY $PRIVATEKEYPASSPHRASE. - Run process as secret credentials: usually No — the
.batalready pulls the creds via%1/%2/%3. - Use Operating System Shell: usually No.
- Batch file: upload the
- Click Save.
Then attach the launcher to a secret template under Configure Launcher on the template, and map each $variable in Process Arguments to the right secret field.
| Launcher | Bundled .bat |
|---|---|
| ACSiSeriesJava | launch-acs-iseries.bat |
| ACSLauncher | launch-acs-positional.bat |
| MappedDrives | netuse-letter.bat, netuse-path.bat |
| MobaXterm (SSH key auth) | mobaxterm-key.bat |
| RemoteApp | launch-remoteapp.bat |
| Launcher | Description |
|---|---|
| Dameware | DameWare Mini Remote Control (DWRCC); supports both direct and centralized-server modes. |
| RDP-RestrictedAdmin | RDP via mstsc /restrictedadmin for situations where the password must not be exposed to the destination. |
| RDTabs | Avian Waves RD Tabs launcher. |
| RemoteApp | Launch a single pre-approved RemoteApp on a destination instead of a full RDP session. |
| UltraVNC | UltraVNC vncviewer.exe launcher (paths for both UltraVNC and uvnc bvba installs). |
| Launcher | Description |
|---|---|
| Kitty | KiTTY (PuTTY fork) for telnet sessions that auto-submit credentials. |
| MobaXterm | MobaXterm SSH launchers — password auth and SSH-key auth (with REST call to fetch the private key). |
| PuTTY-X11Forwarding | The Protocol Handler's bundled PuTTY with -X enabled, for X11 forwarding (direct or proxied). |
| PuTTY-XmingRDS | XMing X server + PuTTY for RDS multi-user X11 forwarding (one X-server per user). |
| SecureCRT | VanDyke SecureCRT variants — using %localappdata% install and using SSH proxy. |
| ZOC | ZOC terminal launcher. Note: passwords cannot contain @. |
| Launcher | Description |
|---|---|
| AutoIT-SSMS-SqlAuth | Workaround for SSMS 18+ which dropped command-line auth — an AutoIt script types creds into the Connect to Server dialog. |
| Couchbase | Browser launcher with a per-cluster URL whitelist for Couchbase clusters. |
| HeidiSQL | HeidiSQL launcher for MySQL/MariaDB (adaptable to MSSQL, PostgreSQL, SQLite). |
| SQLPlus | Oracle SQL*Plus command-line launcher. |
| SQLServerManagementStudio | SSMS launchers for Domain, Windows-with-port, and SQL local user. |
| TOAD | Toad for Oracle launcher (Quest / Dell paths). |
| Launcher | Description |
|---|---|
| Chrome | Several Chrome variants: Incognito, launch as other user with URL prompt, multi-URL Web Password template, and launcher whitelisting. |
| Firefox-Incognito | Firefox in private-browsing mode with a prompted URL. |
| Launcher | Description |
|---|---|
| FileZilla | FileZilla SFTP launcher; includes the original variant and an updated 2021 version. |
| MappedDrives | Map a network drive using the secret's credentials, via PowerShell or a .bat file. |
| WinSCP | WinSCP launchers — private-key SCP variant and SFTP-with-SSH-proxy variant. |
| Launcher | Description |
|---|---|
| ActiveDirectoryUsersAndComputers | Launch the AD Users and Computers MMC snap-in (dsa.msc) as the secret's identity. Works for any MMC snap-in. |
| AzureMicrosoft365 | Connect to Azure AD via PowerShell using a credential built from the secret. Adaptable to other M365 modules. |
| LDP | Microsoft's LDP.exe LDAP/AD diagnostics tool — variants for %localappdata% and System32 installs. |
| MMC-RunMSC | Generic pattern for launching .msc consoles against a remote computer. |
| PowerShellPSSession | Enter-PSSession launcher for remote PowerShell against a Windows / AD secret. |
| Launcher | Description |
|---|---|
| ACSiSeriesJava | IBM Access Client Solutions (Java) launcher for connecting to iSeries / IBM i systems. |
| ACSLauncher | Alternate ACS launcher that takes parameters via CMD (uses %1/%2/%3/%4); supports an explicit IP address parameter. |
| TN5250 | tn5250 sourceforge installer-based launcher for AS/400. |
Built-in Secret Server variables (use UPPERCASE in process arguments):
| Variable | Source |
|---|---|
$USERNAME |
Secret's Username field |
$PASSWORD |
Secret's Password field |
$MACHINE |
Secret's Machine field (or computer name) |
$DOMAIN |
Secret's Domain field |
$HOST |
Secret's Host field (used by SSH-proxy templates) |
$URL |
Secret's URL field (web templates) |
$PORT |
Secret's Port field |
$NOTES |
Secret's Notes field |
$PRIVATEKEY / $PRIVATE KEY |
SSH private-key field on key-rotation templates |
$PRIVATEKEYPASSPHRASE |
Passphrase on the SSH private-key field |
$SECRETID |
Custom field convention used in this repo for the secret's numeric ID — must be added manually as a Text field on the template |
$SESSIONKEY |
Identifier the launcher passes to the launched process; can be used to anonymously check the secret back in via the CheckInSecretByKey API |
$user input |
Prompts the user at launch; configured via Additional Prompt Field Name |
Custom fields ($Server, $Database, $Path, $ShortName, …) |
Use PascalCase to match the field name on the secret template |
Variable names are case-insensitive in Secret Server, but matching the canonical case above keeps process-argument strings easier to read.
PRs welcome.
Each launcher folder needs:
- A
README.mddocumenting:- Launcher config table (Process Name / Process Arguments / non-default checkboxes).
- Template field mapping table (which secret field maps to each variable).
- Any prerequisites (registry settings, install paths, user permissions).
- Any helper scripts (
.ps1,.bat,.au3,.vbs) saved in the same folder, named with lowercase-with-hyphens, and referenced from the README. - A short link to the upstream tool's homepage on first mention (e.g. FileZilla).
When a folder covers multiple variants of the same tool (e.g. SSMS Domain / SQL local user, FileZilla original / 2021 update):
- Use sequential
## Variant N — Short labelheadings. - Keep field tables in the same column order across variants. List each launcher field in the same row even if the value differs (rather than omitting fields that are at default).
Do not include screenshots or other content with real internal hostnames, usernames, or domains. Replace identifying values with placeholders: EXAMPLE, CONTOSO, corp.example.com, <your-secret-server-host>, etc. The same applies to log paths, share names, and backup-host fields.
Test every launcher in a non-production Secret Server before submitting. Note tested versions (Secret Server release, target tool version) in a "Tested on" line if version compatibility matters.
This repository is published without an explicit license; all content is © Delinea unless otherwise noted. You may use these examples for reference and adaptation in your own Secret Server deployment.