How to use obtained credentials in powershell to find groups of the Authenticated user?

Question

I wrote a script, which on execution asks for credentials; it goes like this;

$cred = Get-Credential #Read credentials
$username = $cred.username
$password = $cred.GetNetworkCredential().password
$CurrentDomain = "LDAP://" + ([ADSI] "" ).distinguishedName
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,    $UserName, $Password)

if ($domain.name -eq $null)
{
    [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
    [System.Windows.Forms.MessageBox]::Show("Authentication failed - please verify your username and password.")
    exit
}
else
{
    [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
    [System.Windows.Forms.MessageBox]::Show("Authentication Success")

    $Groups = [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups

-> I recognized my mistake later, the last line collects the groups of user who is logged into the windows machine.I need the groups of the person who authenticated via script; how to change this and obtain the groups for the person who authenticated into script rather the one using windows authentication?

Please do let me know of any questions or clarifications.

Answer 1

You can try this:

[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")$cred = Get-Credential #Read credentials
$username = $cred.username
$password = $cred.GetNetworkCredential().password
$CurrentDomain = "LDAP://" + ([ADSI] "" ).distinguishedName
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,    $UserName, $Password)

if ($domain.name -eq $null)
{
  [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
  [System.Windows.Forms.MessageBox]::Show("Authentication failed - please verify your username and password.")
  exit
}
else
{
  Add-Type -AssemblyName System.DirectoryServices.AccountManagement
  [System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")

  $cred = Get-Credential #Read credentials
  $username = $cred.username
  $password = $cred.GetNetworkCredential().password
  $CurrentDomain = "LDAP://" + ([ADSI] "" ).distinguishedName
  $domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,    $UserName, $Password)

  if ($domain.name -eq $null)
  {
    [System.Windows.Forms.MessageBox]::Show("Authentication failed - please verify your username and password.")
    exit
  }
  else
  {
    [System.Windows.Forms.MessageBox]::Show("Authentication Success")

    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    $user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($ct, $username)

    $groups = $user.GetGroups()
    foreach($i in $groups){
      $i.SamAccountName
    }
  }
}

Answer 2

if you're able to install quest activesrole it will be as simple as :

(get-qaduser $user).memberof

otherwise you can use invoke-command and provide the credentials:

$groups=Invoke-Command -ComputerName $env:COMPUTERNAME -Credential $cred -ScriptBlock {
    [System.Security.Principal.WindowsIdentity]::GetCurrent().Groups
}