Marc Lognoul's IT Infrastructure Blog

Cloudy with a Chance of On-Prem

Validating Domain, Local or AD LDS Credentials using PowerShell

Leave a comment

Powershell

Hi there. When automating installation and configuration using PowerShell, you may have to push configuration containing credentials. It can therefore be useful to make sure they are correct before actually setting them.

PowerShell 2.0 and .Net 3.5 to the rescue: The assembly System.DirectoryServices.AccountManagement hopefully exposes this functionality. Here is how to do:

Load the assembly:

Add-Type -AssemblyName System.DirectoryServices.AccountManagement

Create a context type. It can be a domain, a machine (local or remote) or an AD LDS (aka ADAM) instance:

$MyContextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain

Create a principal context. A context is actually the name of the context type you will validate credentials against. In this case, an AD domain:

$MyPrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($MyContextType, “massivedynamic.local”)

An finally, execute the ValidateCredentials method providing username and password. Note: in the case of domain credentials as as long you have the appropriate trust in place, you can validate credentials from a user belonging to domain A against domain B, you name it, B must trust A. In return you get a Boolean:

$ValidCredentials = $MyPrincipalContext.ValidateCredentials(”MASSIVEDYNAMICWBELL”, “Azerty1”)

Sure it also works with UPN’s:

$ValidCredentials = $MyPrincipalContext.ValidateCredentials(”william.bell@massivedynamic.local”, “Azerty1”)

A warning though: validating credentials is actually performed thanks to a network logon. If a user account is valid while it’s password is wrong, the bad password count at AD or local SAM DB will be incremented. You guess, if an account lockout policy is applicable, too many attempts will lock out the account…

My colleague Bert VL (kind of PoSh scripting goldsmith, check his blog) has tracked this using the good old Account Lockout Tools from the Windows Server 2003 Resource Kit http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx.

Bad Password Count

More info:

Marc

Advertisements

Author: Marc Lognoul

Relentless cloud professional. Restless rider. Happy husband. Proud father. Opinions are my own.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s