How to use obtained credentials in powershell to find groups of the Authenticated user?

StackOverflow https://stackoverflow.com/questions/14776696

Question

I wrote a script, which on execution asks for credentials; it goes like this;

$cred = Get-Credential #Read credentials
$username = $cred.username
$password = $cred.GetNetworkCredential().password
$CurrentDomain = "LDAP://" + ([ADSI] "" ).distinguishedName
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,    $UserName, $Password)

if ($domain.name -eq $null)
{
    [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
    [System.Windows.Forms.MessageBox]::Show("Authentication failed - please verify your username and password.")
    exit
}
else
{
    [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
    [System.Windows.Forms.MessageBox]::Show("Authentication Success")

    $Groups = [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups

-> I recognized my mistake later, the last line collects the groups of user who is logged into the windows machine.I need the groups of the person who authenticated via script; how to change this and obtain the groups for the person who authenticated into script rather the one using windows authentication?

Please do let me know of any questions or clarifications.

Was it helpful?

Solution

You can try this:

[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")$cred = Get-Credential #Read credentials
$username = $cred.username
$password = $cred.GetNetworkCredential().password
$CurrentDomain = "LDAP://" + ([ADSI] "" ).distinguishedName
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,    $UserName, $Password)

if ($domain.name -eq $null)
{
  [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
  [System.Windows.Forms.MessageBox]::Show("Authentication failed - please verify your username and password.")
  exit
}
else
{
  Add-Type -AssemblyName System.DirectoryServices.AccountManagement
  [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")

  $cred = Get-Credential #Read credentials
  $username = $cred.username
  $password = $cred.GetNetworkCredential().password
  $CurrentDomain = "LDAP://" + ([ADSI] "" ).distinguishedName
  $domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,    $UserName, $Password)

  if ($domain.name -eq $null)
  {
    [System.Windows.Forms.MessageBox]::Show("Authentication failed - please verify your username and password.")
    exit
  }
  else
  {
    [System.Windows.Forms.MessageBox]::Show("Authentication Success")

    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    $user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($ct, $username)

    $groups = $user.GetGroups()
    foreach($i in $groups){
      $i.SamAccountName
    }
  }
}

OTHER TIPS

if you're able to install quest activesrole it will be as simple as :

(get-qaduser $user).memberof

otherwise you can use invoke-command and provide the credentials:

$groups=Invoke-Command -ComputerName $env:COMPUTERNAME -Credential $cred -ScriptBlock {
    [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top