PowerShell can easily verify a password against a domain account. In other words, you can bind script logic to passwords maintained in Active Directory.

Here is the code required to send a password to AD and get back a Boolean value: $true if the password is correct, else $false:

# specify user name and user domain
$UserDomain = $env:USERDOMAIN
$UserName = $env:USERNAME
$Password = Read-Host -Prompt "Enter password to test"

# test password
Add-Type -AssemblyName System.DirectoryServices.AccountManagement 
$ContextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain
$PrincipalContext = [System.DirectoryServices.AccountManagement.PrincipalContext]::new($ContextType, $UserDomain)

Note that this code requires an Active Directory and does not work with local accounts. By default, it uses your current account details. Adjust the $UserDomain, $UserName, and $Password variables accordingly. Note also that ValidateCredentials()checks clear-text string passwords. Be careful and do not store clear-text passwords in scripts. Also, better not ask users to enter passwords as clear text.

Your learning points:

  • PowerShell can easily connect to Active Directory and ask for a password validation

psconf.eu – PowerShell Conference EU 2019 – June 4-7, Hannover Germany – visit www.psconf.eu There aren’t too many trainings around for experienced PowerShell scripters where you really still learn something new. But there’s one place you don’t want to miss: PowerShell Conference EU - with 40 renown international speakers including PowerShell team members and MVPs, plus 350 professional and creative PowerShell scripters. Registration is open at www.psconf.eu, and the full 3-track 4-days agenda becomes available soon. Once a year it’s just a smart move to come together, update know-how, learn about security and mitigations, and bring home fresh ideas and authoritative guidance. We’d sure love to see and hear from you!

Twitter This Tip! ReTweet this Tip!

No Data
  • Here is the whole thing as a function with username and domain as optional parameters. The username will be asked for with Get-Credential which saves the password as SecureString instead of plain-text. Later it gets converted to plain again, but only for direct hand-over to the ValidateCredentials method:

    function Test-ADPassword {
    param (
    [string]$UserDomain = $env:USERDOMAIN

    $UserDomain = $env:USERDOMAIN
    $cred = Get-Credential -UserName $SamAccountName -Message 'Enter the password you want to test...'
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $ContextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    $PrincipalContext = [System.DirectoryServices.AccountManagement.PrincipalContext]::new($ContextType, $UserDomain)
No Data