37

On a Windows platform, is there any command line utility that I can pass a username, password domain name to in order to verify the credentials (or possibly give an error that the account is disabled, doesn't exist or expired)?

HopelessN00b
  • 54,273
wiki
  • 523

6 Answers6

30

You could use the net use command, specifying the username and password on the command-line (in the form net use \\unc\path /user:username password and check the errorlevel returned to verify if a credential is valid.

The runas command would work, too, except that you're going to have a tougher time testing the output.

Testing a credential for the existence of an account would be a matter of using net user or dsquery. The net user command won't tell you if an account is locked out, but querying the lockoutTime attribute of the user account could tell you that.

Evan Anderson
  • 142,957
21

In Powershell:

Function Test-ADAuthentication {
    param($username,$password)
    (new-object directoryservices.directoryentry "",$username,$password).psbase.name -ne $null
    }

PS C:\> Test-ADAuthentication "dom\myusername" "mypassword"
True
PS C:\>

Reference: https://stackoverflow.com/questions/7663219/how-to-authenticate-an-user-in-activedirectory-with-powershell

Community
  • 1
user224310
  • 319
3

Try this:

net use \\%userdnsdomain% /user:%userdomain%\%username% *

%Errorlevel% is 0 if password is Ok.

Asterisk at the end of the sentence forces to ask for password.

Vicente G.
  • 31
3

cmdkey is the cmd-line interface for adding, removing, listing credentials that are used for things like net use or remote desktop.

cmdkey /target <domain> /user:<username> /pass:<pass> will add the credentials for a domain

Then using net use <domain UNC> won't require the subsequent credential passage.

I believe it is named cmdkey as it is command-line way of adding keys/credentials.

Jordan Stefanelli
  • 31
2

Further to PsychoData's comment above.

I need to test a service account which is part of a "no interaction" AD group that has been given access to a share that is not available from any VM that I can use to test. I had to use this syntax to confirm the password was correct;

runas /noprofile /netonly /user:domain\serviceaccount cmd

I can confirm that if the pwd is correct, this pops up a cmd window

Other syntaxes (including the NET USE syntax) gave me various ambigous results.

Nick.Mc
  • 193
2

Just wanted to add that since AD is an LDAP server, you can use an LDAP command line tool to 'bind' to it, thus confirming whether or not it is active. You can also bind as a user with higher privileges and then seach AD using LDAP principles.

But hey-- nothing wrong with Powershell!

Gerard ONeill
  • 143