Active Directory

PowerShell: Test Domain User Account Credentials Test-UserCredentials.ps1

This script will check if the password for a given username is correct.
If the authentication failed using the provided Domain\Username and Password, The script will do some checks and provide clues why the authentication failed.
The checks are:

  • Domain is reachable.
  • User Name exists in the domain.
  • The account is Enabled.
  • The account is Unlocked.

You can run the script from powershell as .\Test-UserCredentials.ps1 or Right click the script and select “Run with PowerShell”,
The script will ask for the user credentials as Domain\Username, and Password in a friendly Windows authentication window, and report the status of the combination.

Get User Input:
11_02_00-Windows PowerShell

Example for correct username and password
2015-12-22 15_40_43-Windows PowerShell

Example for failed authentication due to: domain is not found/unreachable:
2015-12-22 15_43_15-Windows PowerShell

Example for failed authentication due to: User Name does not exist:
2015-12-22 15_45_40-Windows PowerShell

Example for failed authentication due to: User Account is disabled:
2015-12-22 15_47_29-Windows PowerShell

Example for failed authentication due to Locked out User account:
2015-12-31 10_13_51-Windows PowerShell

Example for failed authentication mostly due to wrong password:
2015-12-28 10_22_50-Windows PowerShell

Download from TechNet Gallery:

Test If AD User Name and Password Combination are Correct

Check my enhanced PowerShell script that do the same task as here, and more…:

—Original Post—
This neat VBS script will test the active directory authentication for a given user name and password. and It will tell you if it succeeded or failed with which error.

I used to use Run-AS to test the authentication, but sometimes the user will not have the permissions to access the machine I’m testing on, and I will receive a non clear error.

Now, to the script:

Set objNetwork = CreateObject("WScript.Network")
strDomain = objNetwork.UserDomain
strUsername=InputBox("Enter Username:")
strPassword=InputBox("Enter Password:")
Set objDS = GetObject("LDAP:")
On Error Resume Next
Set objDomain = objDS.OpenDSObject("LDAP://" & strDomain, strUsername, strPassword, ADS_SECURE_AUTHENTICATION)
If Err.Number Then
    WScript.Echo _
    "For user:" & vbCrLf & _
    "   " & strDomain & "\" & strUsername & vbCrLf & _ 
    "Error Number:" & vbCrLf & _
    "   " & Err.Number & vbCrLf & _
    "Error Description:" & vbCrLf & _
    "   " & Err.Description
    WScript.Echo _
    "Valid password entered for user" & vbCrLf & _
    "   " & strDomain & "\" & strUsername
End If
On Error Goto 0

Run it, Provide the user name (Without providing the domain name), then provide the password, and get the result.


PowerShell: Find the LDAP address from a User Account


Import-Module ActiveDirectory
$Account = Read-Host 'Enter User Account'
$DN = Get-ADuser $Account
Write-Host LDAP://$DN

Run the script from your domain controller.

The script will ask you for the user logon name, and will display the relative LDAP address in the form of: LDAP://CN=………,OU=…..,OU=………,DC=…….,DC=…..

One-Liner: Move Multible Users to a Specific OU (Powershell)

This PowerShell command will read the users’ alias from a text file, and will move them to a specific OU.

  • On you domain controller, create a text file at C:\MoveUsers\Users.txt
  • In Users.txt add users aliases one per each line.
  • Get the DN for the destination OU, one easy common way, is to open ADSI Edit, expand the tree on the left till you reach the desired OU –> in the properties of the OU you will get the OU DN.
  • Open PowerShell and import the Active Directory Module:
Import-Module ActiveDirectory
The Command:
Get-Content C:\MoveUsers\Users.txt | Foreach{Get-ADUser $_ | Move-ADObject -TargetPath "OU=HR Users,OU=Users,DC=Masry,DC=Lab"}

Replace OU=HR Users,OU=Users,DC=Masry,DC=Lab with your OU DN obtained previously.