locked
Active Directory & PowerShell RRS feed

  • Question

  • Hi

    I am trying to right a PowerShell script  that compares a csv of usernames and passwords against Active Directory to ensure that the AD password is correct

    Can this be done?

    Many thanks

    Iain

    • Moved by Bill_Stewart Monday, April 20, 2015 7:19 PM Poor quality question/shows no research effort
    Thursday, December 11, 2014 4:44 PM

Answers

  • Nope.

     You cannot read the passwords from AD.  In fact they aren't even stored there.  What is stored is a hash that's calculated from the password prompt when the user sets their password.  When they re-enter the password to log in, it takes the entered password, recalculates the hash from that, and compares it to the hash that's stored in AD.

    The password itself is never stored.

    Edit: 

    You can test a set of credentials using the username and password in the csv,

    Function Test-ADAuthentication {
        param($username,$password)
        (new-object directoryservices.directoryentry "",$username,$password).psbase.name -ne $null
    }
    
    Test-ADAuthentication 'test' 'Password1'

    but you can't simply read the password from AD and compare it to what's in the csv.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "





    • Proposed as answer by Mike Laughlin Thursday, December 11, 2014 4:56 PM
    • Edited by mjolinor Thursday, December 11, 2014 5:09 PM
    • Marked as answer by Just Karl Tuesday, April 28, 2015 10:42 PM
    Thursday, December 11, 2014 4:48 PM