CODEWITHSUNDEEP
powershellauthenticationactive-directorycredentialsactive-directory-group
Darktux
Darktux

Reputation: 427

How to use obtained credentials in powershell to find groups of the Authenticated user?

I wrote a script, which on execution asks for credentials; it goes like this;

$cred = Get-Credential #Read credentials
$username = $cred.username
$password = $cred.GetNetworkCredential().password
$CurrentDomain = "LDAP://" + ([ADSI] "" ).distinguishedName
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,    $UserName, $Password)

if ($domain.name -eq $null)
{
    [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
    [System.Windows.Forms.MessageBox]::Show("Authentication failed - please verify your username and password.")
    exit
}
else
{
    [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
    [System.Windows.Forms.MessageBox]::Show("Authentication Success")

    $Groups = [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups

-> I recognized my mistake later, the last line collects the groups of user who is logged into the windows machine.I need the groups of the person who authenticated via script; how to change this and obtain the groups for the person who authenticated into script rather the one using windows authentication?

Please do let me know of any questions or clarifications.

Upvotes: 0

Views: 8556

Answers (2)

CB.
CB.

Reputation: 60986

You can try this:

[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")$cred = Get-Credential #Read credentials
$username = $cred.username
$password = $cred.GetNetworkCredential().password
$CurrentDomain = "LDAP://" + ([ADSI] "" ).distinguishedName
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,    $UserName, $Password)

if ($domain.name -eq $null)
{
  [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
  [System.Windows.Forms.MessageBox]::Show("Authentication failed - please verify your username and password.")
  exit
}
else
{
  Add-Type -AssemblyName System.DirectoryServices.AccountManagement
  [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")

  $cred = Get-Credential #Read credentials
  $username = $cred.username
  $password = $cred.GetNetworkCredential().password
  $CurrentDomain = "LDAP://" + ([ADSI] "" ).distinguishedName
  $domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,    $UserName, $Password)

  if ($domain.name -eq $null)
  {
    [System.Windows.Forms.MessageBox]::Show("Authentication failed - please verify your username and password.")
    exit
  }
  else
  {
    [System.Windows.Forms.MessageBox]::Show("Authentication Success")

    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    $user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($ct, $username)

    $groups = $user.GetGroups()
    foreach($i in $groups){
      $i.SamAccountName
    }
  }
}

Upvotes: 1

Loïc MICHEL
Loïc MICHEL

Reputation: 26180

if you're able to install quest activesrole it will be as simple as :

(get-qaduser $user).memberof

otherwise you can use invoke-command and provide the credentials:

$groups=Invoke-Command -ComputerName $env:COMPUTERNAME -Credential $cred -ScriptBlock {
    [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups
}

Upvotes: 0

Related Questions