PowerShell – Test User Credentials in AD with Password Reset

active-directorypowershell

I can successfully use Powershell to tell if a user authenticates in Active Directory:

Function Test-ADAuthentication {
    param($username,$password)
    (new-object directoryservices.directoryentry "",$username,$password).psbase.name -ne $null
}

Test-ADAuthentication "test" "Password1"

However, I cannot for the life of me figure out how to:

Check if the password needs to be reset, while
Verifying the credentials sent did work on their last password.

How could one go about this?

Best Answer

Credentials can be tested by running a process. An example below,

Start-Process -FilePath cmd.exe /c -Credential (Get-Credential -UserName $username -Message 'Test Credential')

Or simply:

Start-Process -FilePath cmd.exe /c -Credential (Get-Credential)

You will be presented with a prompt to enter a password. If you need read the password from a string (bad practice), you need to initialize the credential object beforehand. More details on that method can be found in the help.

Get-Help Get-Credential

Related Solutions

Powershell – Kill process, then uninstall application–Can I do this with PowerShell, over 400 computers, from a txt file

While this is technically possible, there's probably a better way to go about it.

And speaking of better ways to go about it, You could do this in a GPO with a few lines of code as a startup or shutdown script, which is how I handle this. With a few more lines of code you could log the results of checking for the presence of this thing and/or uninstalling it, which would undoubtedly be useful in your compliance efforts.

If a GPO-linked startup/shutdown script's not an option for whatever reason, I think I'd use PSExec to kill the process on a list of computers read in from file and then script the uninstall in an appropriate language. Seem to me that this is a lot easier in VB, for example.

a=WshShell.RegRead("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}\UninstallString")

If a<>"" Then

WshShell.Run(a&" /S"),1,True
i=i+1

end if

(Goodbye Google Toolbar, in that example which I wrote or copied a few years back. Copied, probably. I am rather lazy.)

Without debugging the PS script you copied, I'd point out that you might be running a different PS version, different PS modules installed/loaded and/or there might be some dependencies that your XP machines don't have in place that's causing problems.

Active Directory authentication rejected and the bad password count does not increment or reset

Do you have password history enabled? If the password entered matches either of the two last passwords for the account, the auth will be rejected but badPwdCount will not be incremented. I'm trying to wrap my head around the rest of your description, but that would at least explain the "missing" bad password increment.

EDIT

Rereading your question, it sounds like administratively resetting passwords always has positive results, correct? Also wondering what OS your PDCe is on (2003, 2008). Are there any firewalls potentially blocking access to the PDCe (or any other DCs for that matter)? Keep in mind that while end-user password changes communicated from the client to the local DC via the kpasswd protocol (TCP/464), PDCe notification of password changes are via an RPC call. The destination ports will have changed from 2003 to 2008.

Best Answer

Related Solutions

Powershell – Kill process, then uninstall application–Can I do this with PowerShell, over 400 computers, from a txt file

Active Directory authentication rejected and the bad password count does not increment or reset

EDIT

Related Topic