Marc Lognoul's IT Infrastructure Blog

Cloudy with a Chance of On-Prem

Validating Domain, Local or AD LDS Credentials using PowerShell

Leave a comment


Hi there. When automating installation and configuration using PowerShell, you may have to push configuration containing credentials. It can therefore be useful to make sure they are correct before actually setting them.

PowerShell 2.0 and .Net 3.5 to the rescue: The assembly System.DirectoryServices.AccountManagement hopefully exposes this functionality. Here is how to do:

Load the assembly:

Add-Type -AssemblyName System.DirectoryServices.AccountManagement

Create a context type. It can be a domain, a machine (local or remote) or an AD LDS (aka ADAM) instance:

$MyContextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain

Create a principal context. A context is actually the name of the context type you will validate credentials against. In this case, an AD domain:

$MyPrincipalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($MyContextType, “massivedynamic.local”)

An finally, execute the ValidateCredentials method providing username and password. Note: in the case of domain credentials as as long you have the appropriate trust in place, you can validate credentials from a user belonging to domain A against domain B, you name it, B must trust A. In return you get a Boolean:

$ValidCredentials = $MyPrincipalContext.ValidateCredentials(”MASSIVEDYNAMICWBELL”, “Azerty1”)

Sure it also works with UPN’s:

$ValidCredentials = $MyPrincipalContext.ValidateCredentials(”william.bell@massivedynamic.local”, “Azerty1”)

A warning though: validating credentials is actually performed thanks to a network logon. If a user account is valid while it’s password is wrong, the bad password count at AD or local SAM DB will be incremented. You guess, if an account lockout policy is applicable, too many attempts will lock out the account…

My colleague Bert VL (kind of PoSh scripting goldsmith, check his blog) has tracked this using the good old Account Lockout Tools from the Windows Server 2003 Resource Kit

Bad Password Count

More info:


Author: Marc L

Relentless cloud professional. Restless rider. Happy husband. Proud father. Opinions are my own.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s