Public/ActiveDirectory/Get-CredentialValidate.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
function Get-CredentialValidate {
  <#
    .SYNOPSIS
        Get domain credential.

    .DESCRIPTION
        Get and check domain credential.
    
    .PARAMETER UserName
        Specify UserName.
    
    .PARAMETER Credential
        Specify Credential as PSCredential.

    .EXAMPLE
        Get-CredentialValidate
        
        Get credential, check them and if correct pass them by.

    .EXAMPLE
        Get-CredentialValidate -Verbose
        
        Show login and password on the screen.
        Get credential, check them and pass them by if correct.
    
       .EXAMPLE
        $Credentials = Get-Credential
        Get-CredentialValidate -Credential $Credentials
        
        Check credential specify as parameter and if correct pass them by.
  #>

    
    [CmdletBinding(PositionalBinding = $false)]
    [OutputType([PSCredential])]
    param
    (
        [Parameter()]
        [String]$UserName = "$env:USERDOMAIN\$env:USERNAME",
        
        [Parameter()]
        [PSCredential]$Credential
    )
    
    $ValidateCredential = $null
    $PrincipalContext = $null
    
    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    
    if (-not $Credential) {
        Write-Verbose -Message 'Getting credential...'
        $Credential = Get-Credential -Message 'Provide credential:' -UserName $UserName
        $Password = $Credential.GetNetworkCredential().Password
    }
    
    #Checking if user exist by taking login from Credential
    if ($Credential) {
        $UserName = $Credential.UserName
        
        if ($UserName -like '*\*') {
            $DomainNetBIOS = $UserName.Split('\')[0]
            $Server = (Get-ADDomain $DomainNetBIOS).PDCEmulator
            
            $SamAccountName = $UserName.Split('\')[-1]
        }
        elseif ($UserName -like '*@*') {
            $DomainNetBIOS = $UserName.Split('@')[1]
            $Server = (Get-ADDomain $DomainNetBIOS).PDCEmulator
            
            $SamAccountName = $UserName.Split('@')[0]
        }
        else {
            $DomainNetBIOS = $env:USERDNSDOMAIN
            $Server = (Get-ADDomain $DomainNetBIOS).PDCEmulator
            
            $SamAccountName = $UserName
        }
        
        if ($DomainFQDN = (Get-ADDomain $DomainNetBIOS).DNSRoot) {
            Write-Verbose -Message "Fully qualified domain name found: '$DomainFQDN'"
        }
        else {
            $errMsg = "Fully qualified domain name of '$DomainNetBIOS' was found."
            Throw $errMsg
        }
        
        
        
        Write-Verbose -Message "Checking login: $SamAccountName, in domain: $DomainNetBIOS at server: $Server"
        
        if (Get-ADUser -Filter {
                SamAccountName -eq $SamAccountName
            } -Server $Server) {
            Write-Verbose -Message "Login $SamAccountName exist in $DomainNetBIOS"
        }
        else {
            $errMsg = "Login $SamAccountName doesn't exist in $DomainNetBIOS domain."
            Throw $errMsg
        }
    }
    else {
        $errMsg = 'No valid credential.'
        Throw $errMsg
    }
    
    #Checking Credential and doing loop if false
    do {
        Write-Verbose -Message 'Checking credential...'
        
        if ((-not $Check -and $Credential -and -not $Password) -and $DomainADSI) {
            Write-Verbose -Message 'Getting credential (password was empty)...'
            $UserName = $UserName
            $Credential = Get-Credential -Message 'Provide correct credential (password was empty):' -UserName $UserName
        }
        elseif ((-not $Check -and $Credential) -and $DomainADSI) {
            Write-Verbose -Message 'Getting credential (no valid login or password)...'
            $UserName = $UserName
            $Credential = Get-Credential -Message 'Provide correct credential (no valid login or password):' -UserName $UserName
        }
        else {
            Write-Verbose -Message 'Credential arguments provided (not empty).'
        }
        
        Write-Verbose -Message 'Validating...'
        
        $DomainADSI = "LDAP://" + $DomainFQDN
        $UserName = $Credential.UserName
        $Password = $Credential.GetNetworkCredential().Password
        $Check = (New-Object System.DirectoryServices.DirectoryEntry($DomainADSI, $UserName, $Password)).distinguishedName
    }
    while
    (
        -not $Check -or -not $Password
    )
    
    Write-Verbose -Message "Login: $UserName, Password: $Password"
    
    $Credential
}