Browser limitation detected

Facebook browser may limit features like the Menu. For the best experience, please tap (...) and choose 'Open in Browser'.

ITPro-Tips logo
Advertise
Photo by regularguy.eth / Unsplash
Test AD authentication with PowerShell

Test AD authentication with PowerShell

— 1 min read
Bastien Perez
Bastien Perez

Test password

Sometimes, it is useful to test Active Directory credentials to validate the login or the password. For example, following the bulk creation of users.

The most commonly used actions is connecting to a remote desktop (RDP) or connecting to a webmail. However, either the number of login to be tested is too important, or no service is accessible to test an authentication.

PowerShell to the rescue

⚠️
Be careful NOT to test authentication loops with an incorrect password, as this can cause AD account lockout.

The script was tested with NTLM authentication using domain\sAMAccountName.
Kerberos authentication was not tested.
These methods may not work for users in the Protected users group or if NTLM is disabled.

PowerShell allows you to test login / password authentication against Active Directory using one of these two methods:

$userName = 'xxxx'
$password = 'yyyy'

Function Test-ADAuthentication {
    param(
        $username,
        $password)
    
    (New-Object DirectoryServices.DirectoryEntry "",$username,$password).psbase.name -ne $null
}

Test-ADAuthentication -username $UserName -password $password

or an advanced function if you need to test against another AD domain:

function Test-ADAuthentication {
	Param(
		[Parameter(Mandatory)]
		[string]$User,
		[Parameter(Mandatory)]
		$Password,
		[Parameter(Mandatory = $false)]
		$Server,
		[Parameter(Mandatory = $false)]
		[string]$Domain = $env:USERDOMAIN
	)
  
	Add-Type -AssemblyName System.DirectoryServices.AccountManagement
	
	$contextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain
	
	$argumentList = New-Object -TypeName "System.Collections.ArrayList"
	$null = $argumentList.Add($contextType)
	$null = $argumentList.Add($Domain)

	if($null -ne $Server){
		$argumentList.Add($Server)
	}
	
	$principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $argumentList -ErrorAction SilentlyContinue

	if ($null -eq $principalContext) {
		Write-Warning "$Domain\$User - AD Authentication failed"
	}
	
	if ($principalContext.ValidateCredentials($User, $Password)) {
		Write-Host -ForegroundColor green "$Domain\$User - AD Authentication OK"
	}
	else {
		Write-Warning "$Domain\$User - AD Authentication failed"
	}
}

#Test-ADAuthentication -User toto -Password passXX

#Test-ADAuthentication -User toto -Password passXX -Server xxx.domain.com

The return values are:

  • TRUE if authentication is successful
  • FALSE if authentication failed. The reason can be:
    • bad login. Test if AD user exists
    • bad password
    • locked out AD acount: Get-ADUser -Identity xxx -Properties LockedOut,AccountLockoutTime | Select samaccountname,LockedOut,AccountLockoutTime
    • disabled AD account: Get-ADUser -Identity xxxx | Select samaccountname,Enabled
active directory
PowerShell
Share

Comments

data-mapping="pathname" data-strict="0" data-reactions-enabled="0" data-emit-metadata="0" data-input-position="top" data-theme="preferred_color_scheme" data-lang="en" data-loading="lazy" crossorigin="anonymous" async>
banner-Bastien Perez
Bastien Perez avatar

Freelance Microsoft 365 - Active Directory - Modern Workplace

France