Powershell To Check Local Admin Credentials

Question

I'm trying to run a script that requires Administrator input in order to process certain things. Rather than have the script run unsuccessfully I'm trying to trap the error and throw it back into the Credentials, but I can't find a command I can pass Local Admin Credentials with to a Trap. Does anyone have anything that might work?

I've found MANY that will check domain credentials, but this is a LOCAL Admin account.

To clarify, I am using:

$Cred = Get-Credential

I need to verify the output from that is correct and has Admin access to run stuff further down in the script.

Working Solution (Thanks to User978511)

$Cred = Get-Credential 
$Computer = (gwmi Win32_ComputerSystem).Name
$User = $Cred.Username
$Pass = $Cred.GetNetworkCredential().Password
$Users = ("$Computer"+"$User")

Add-Type -assemblyname System.DirectoryServices.AccountManagement 
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
$DS.ValidateCredentials($Users, $pass)

if ($Result -ne "True")
{
<Perform Tasks Here>
}

Answer 1

I used Robenildo Oliveira script but with a bit of a twist. I wanted to make a script to check all computers I am configuring to make sure the admin password was changed. Also, the boss doesn't want the password in the script, nor do I want to keep typing it in. I just want a mass check. So, this is what I came up with. I ran this in a thumb drive this way it would just plug and click, well with the help of a bat file using a simple command:

PowerShell.exe -ExecutionPolicy UnRestricted -File "%~d0\PWAdmin.ps1"

I used https://www.altaro.com/msp-dojo/encrypt-password-powershell/ to create a key and encrypt the password. So, I would have a "pkaes.key" txt file and "pk.xml" of the password hash. The extensions don't matter but I just made it *.key but .txt or any other thing will work.

<#
NOTES:
Test Local user Account Credentials
OLD Way
Line 11: $pswd = Read-Host "Type password -- VERIFY BEFORE CLICKING RETURN!!!"  -assecurestring
#>

$userName = "Administrator"
$checkForUser = (Get-LocalUser).Name -Contains $userName
Write-Verbose "Prompting for password"
#$pswd = Read-Host "Type password -- VERIFY BEFORE CLICKING RETURN!!!"  -assecurestring
$pswd = Get-Content ".\pk.xml" | ConvertTo-SecureString -Key (Get-Content ".\pkaes.key")
$decodedpswd = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pswd))
$Computers = "$env:computername"

Foreach ($computer in $computers) {
$temp = New-Object PSobject
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$obj = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine', $computer)

if ($obj.ValidateCredentials($username, $decodedpswd) -eq $True) {
Write-Host "01. The password for $($username) in Computer $($computer) is correct [√]" -ForegroundColor Green}
else {
Write-Host "01. The password for $($username) in Computer $($computer) is incorrect [X]" -ForegroundColor Red}
}

I did change the -BackgroundColor to -ForegroundColor as it took a while when the passwords didn't match for some reason. But with foregroundcolor it was instant. Could be just our setup. Also, since we change our admin to some other name and sometimes that change wouldn't happen right away, I still wanted check the PW for either or and used https://www.reddit.com/r/PowerShell/comments/scioth/determining_if_a_local_user_exists/ in my script to check for both local admin names. This was good to have in my check to see what is installed. This way it's a quick visual and act if something is missing/incorrect from our systems.

Answer 2

# Test Local User Account Credentials

Write-Verbose "Prompting for password" 
$pswd = Read-Host "Type password -- VERIFY BEFORE CLICKING RETURN!!!"  -assecurestring
$decodedpswd = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pswd))

Foreach ($computer in $computers) { 

$temp = New-Object PSobject 
         
$username = "variable with local admin user"

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$obj = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('machine', $computer)

if ($obj.ValidateCredentials($username, $decodedpswd) -eq $True) {

Write-Host "The password of UserName $($username) in Computer $($computer) it is correct" -BackgroundColor Green}

else {

Write-Host "The password of UserName $($username) in Computer $($computer) does not is correct" -BackgroundColor Red}
}

Answer 3

This will return you local admins (another answer is probably better fit here):

$group =[ADSI]"WinNT://./Administrators" 
$members = @($group.psbase.Invoke("Members")) 
$admins = $members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)} 

And this will check credentials:

Add-Type -assemblyname system.DirectoryServices.accountmanagement 
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
$DS.ValidateCredentials("test", "password") 

All you have to do is to check that credentials are ok and that user is member of Admins group

Answer 4

function Is-Current-User-Admin
{
    return ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
}