Functions/Test-Password.ps1
|
function Test-Password { <# .SYNOPSIS To validate credentials and return a boolean .DESCRIPTION To validate credentials and return a boolean. Can specify either a credential or username and securestring. Default ParameterSetName 'Credential' .PARAMETER Domain Where the credential is being checked against. Either ('.' or $env:computername) or (domainname with or without .com) .PARAMETER Credential Credential ParameterSetName 'Credential' .PARAMETER UserName The username to check. ParameterSetName 'SecureString' .PARAMETER Password The password passed as a securestring. ParameterSetName 'SecureString' .EXAMPLE Test-Password -Domain contosco.com -Credential $GoodCredential $true .EXAMPLE Test-Password -Domain contosco.com -Credential $BadCredential $false .EXAMPLE Test-Password -UserName $username -Password $goodpassword -Domain contosco True .EXAMPLE Test-Password -UserName $username -Password $badpassword -Domain contosco False .EXAMPLE Test-Password -Credential $LocalCred -Domain '.' True .EXAMPLE Test-Password -UserName $localuser -Password $localpassword -Domain '.' True .NOTES # inspired by https://community.idera.com/database-tools/powershell/powertips/b/tips/posts/validating-user-account-passwords-part-2 # extra code to fix .ValidateCredentials error https://stackoverflow.com/questions/46170531/exception-in-validatecredentials-the-server-cannot-handle-directory-requests#comment95679386_46172068 * added code to allow domain to be specified as '.' aka the local machine * added parameter set names to allow for either a credential to be passed or a combination username / password (as a securestring) #> #region parameter [CmdletBinding(DefaultParameterSetName='Credential', ConfirmImpact = 'Medium')] [OutputType('bool')] Param ( [Parameter(Mandatory, ParameterSetName = 'SecureString')] [Parameter(Mandatory, ParameterSetName = 'Credential')] [string] $Domain, [Parameter(Mandatory, ParameterSetName = 'SecureString')] [string] $UserName, [Parameter(Mandatory, ParameterSetName = 'SecureString')] [securestring] $Password, [Parameter(Mandatory, ParameterSetName = 'Credential')] [pscredential] $Credential ) #endregion parameter begin { Write-Verbose -Message "Starting [$($MyInvocation.Mycommand)]" Write-Verbose -Message "ParameterSetName [$($PsCmdlet.ParameterSetName)]" Add-Type -AssemblyName System.DirectoryServices.AccountManagement $LocalSystem = Get-CimInstance -Class Win32_ComputerSystem -Verbose:$false } process { if ($PsCmdlet.ParameterSetName -eq 'Credential') { $UserName = $Credential.GetNetworkCredential().UserName $PlainPassword = $Credential.GetNetworkCredential().Password } else { $PlainPassword = Convert-SecureStringToString -SecureString $Password -Verbose:$false } if (($Domain -eq '.') -or ($Domain -match "^$($LocalSystem.Name)\.?")) { Write-Verbose -Message 'Local query' # $Type = 'local' if ($Domain -eq '.') { Write-Verbose -Message "Changing -Domain to [$($env:COMPUTERNAME)]" $Domain = $env:COMPUTERNAME } $Context = [System.DirectoryServices.AccountManagement.ContextType]::Machine $PrincipalContext = [System.DirectoryServices.AccountManagement.PrincipalContext]::new($Context, $Domain) $PrincipalContext.ValidateCredentials($UserName, $PlainPassword) } else { Write-Verbose -Message 'Domain query' # $Type = 'domain' $Context = [System.DirectoryServices.AccountManagement.ContextType]::Domain $DefaultNC = "DC=$($LocalSystem.Domain.replace('.', ',DC='))" $PrincipalContext = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -Argumentlist $Context, $LocalSystem.Domain, $DefaultNC, ([System.DirectoryServices.AccountManagement.ContextOptions]'SecureSocketLayer,Negotiate') $PrincipalContext.ValidateCredentials($UserName, $PlainPassword, [System.DirectoryServices.AccountManagement.ContextOptions]'Negotiate') } } end { # i want to ensure the plain password is not kept in memory so setting to random string before removing it $PlainPassword = 'randomstring' Remove-Variable -Name PlainPassword Write-Verbose -Message "Ending [$($MyInvocation.Mycommand)]" } } |