PowerShell can easily verify a password against a domain account. In other words, you can bind script logic to passwords maintained in Active Directory.

Here is the code required to send a password to AD and get back a Boolean value: $true if the password is correct, else $false:

# specify user name and user domain
$UserDomain = $env:USERDOMAIN
$UserName = $env:USERNAME
$Password = Read-Host -Prompt "Enter password to test"

# test password
Add-Type -AssemblyName System.DirectoryServices.AccountManagement 
$ContextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$PrincipalContext = [System.DirectoryServices.AccountManagement.PrincipalContext]::new($ContextType, $UserDomain)
$PrincipalContext.ValidateCredentials($UserName,$Password)

Note that this code requires an Active Directory and does not work with local accounts. By default, it uses your current account details. Adjust the $UserDomain, $UserName, and $Password variables accordingly. Note also that ValidateCredentials()checks clear-text string passwords. Be careful and do not store clear-text passwords in scripts. Also, better not ask users to enter passwords as clear text.

Your learning points:

  • PowerShell can easily connect to Active Directory and ask for a password validation

psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU - with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!

Anonymous
Parents
No Data
Comment
  • Here is the whole thing as a function with username and domain as optional parameters. The username will be asked for with Get-Credential which saves the password as SecureString instead of plain-text. Later it gets converted to plain again, but only for direct hand-over to the ValidateCredentials method:

    function Test-ADPassword {
    param (
    [Parameter()]
    [string]$SamAccountName,
    [string]$UserDomain = $env:USERDOMAIN
    )

    $UserDomain = $env:USERDOMAIN
    $cred = Get-Credential -UserName $SamAccountName -Message 'Enter the password you want to test...'
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $ContextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    $PrincipalContext = [System.DirectoryServices.AccountManagement.PrincipalContext]::new($ContextType, $UserDomain)
    $PrincipalContext.ValidateCredentials($cred.UserName,$cred.GetNetworkCredential().Password)
    }
Children
No Data