01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 | function obtainDomainAdminCredentials{ # Legacy domain binding function function isValidCred($u,$p){ # Get current domain using logged-on user's credentials $domain = "LDAP://" + ([ADSI]"").distinguishedName $domainCred = New-Object System.DirectoryServices.DirectoryEntry($domain,$u,$p) if ($domainCred){ return $True }else{ return $False } } function isDomainAdmin($username){ if (!(get-module activedirectory)){Install-WindowsFeature RSAT-AD-PowerShell -Confirm:$false} if((Get-ADUser $username -Properties MemberOf).MemberOf -match '^CN=Domain Admins'){ return $True; }else{return $false;} } # Create a domain context function dotNetDomainBind{ Add-Type -AssemblyName System.DirectoryServices.AccountManagement; Try { $type = [System.DirectoryServices.AccountManagement.ContextType]::Domain; $context = New-Object System.DirectoryServices.AccountManagement.PrincipalContext $type,$env:USERDOMAIN; return $context; } Catch { If ($_.Exception.InnerException -like "*The server could not be contacted*") { write-host "Could not contact a server for the specified domain $env:USERDOMAIN via DotNet Method."; } Else { write-host "Unknown errors occured while attempting to contact $env:USERDOMAIN via DotNet Method."; } return $false; } } $attempt=0; $maxAttempts=3; $plainTextPassword=''; Do{ $attempt++; $failureMessage = $null; [string][ValidateNotNullOrEmpty()]$userName=Read-Host -Prompt "Please input a User ID"; if($userName -notmatch '\\'){ $username=$env:USERDOMAIN+'\'+$userName } $password = Read-Host -Prompt "Please type in the password for user $userName" -AsSecureString; $plainTextPassword=[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($password)) # Test bind to this credential try { # Test bind $context=dotNetDomainBind if($context){ $validatedAccount = $context.ValidateCredentials($userName,$plainTextPassword) }else{ $validatedAccount=isValidCred -u $userName -p $plainTextPassword } If ($validatedAccount) { $onlyUserName=$userName -replace '.+\\' $isDomainAdmin=isDomainAdmin -username $onlyUserName; if($isDomainAdmin){ $credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $userName,$password; $validAccount=$true; }else{ $failureMessage += "$attempt out of $maxAttempts`: $userName account is valid, but it is not a Domain Admin"; } }else{ $failureMessage += "$attempt out of $maxAttempts`: username and/or password error"; } }catch{ write-warning $_ $failureMessage += "Unable to bind to $env:USERDNSDOMAIN."; } # Depending on whether there are failures, proceed accordingly if($failureMessage){ If ($attempt -lt $maxAttempts-1) { $message = "$failureMessage`: Authentication error. Please Try again."; Write-Warning $message; }elseif($attempt -eq $maxAttempts-1){ $message = "$failureMessage`: Last attempt."; Write-Warning $message; $credentials= $false; } } } Until (($ValidAccount) -or ($Attempt -ge $MaxAttempts)) if($credentials){return $credentials;}else{return $false}} |
# Obtain Domain Admin Credentials
function obtainDomainAdminCredentials{
# Legacy domain binding function
function isValidCred($u,$p){
# Get current domain using logged-on user's credentials
$domain = "LDAP://" + ([ADSI]"").distinguishedName
$domainCred = New-Object System.DirectoryServices.DirectoryEntry($domain,$u,$p)
if ($domainCred){return $True}else{return $False}
}
function isDomainAdmin($username){
if (!(get-module activedirectory)){includeActiveDirectoryModule}
if((Get-ADUser $username -Properties MemberOf).MemberOf -match 'Domain Admins'){return $True;}else{return $false;}
}
# Create a domain context
function dotNetDomainBind{
Add-Type -AssemblyName System.DirectoryServices.AccountManagement;
Try {
$type = [System.DirectoryServices.AccountManagement.ContextType]::Domain;
$context = New-Object System.DirectoryServices.AccountManagement.PrincipalContext $type,$env:USERDOMAIN;
return $context;
} Catch {
If ($_.Exception.InnerException -like "*The server could not be contacted*") {
write-host "Could not contact a server for the specified domain $env:USERDOMAIN via DotNet Method.";
} Else {
write-host "Unknown errors occured while attempting to contact $env:USERDOMAIN via DotNet Method.";
}
return $false;
}
}
$attempt=0;
$maxAttempts=3;
$plainTextPassword='';
Do{
$attempt++;
$failureMessage = $null;
[string][ValidateNotNullOrEmpty()]$userName=Read-Host -Prompt "Please input a User ID";
if($userName -match '\\'){$username=$env:USERDOMAIN+'\'+$userName}
$password = Read-Host -Prompt "Please type in the password for user $userName" -AsSecureString;
$plainTextPassword=[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
# Test bind to this credential
try {
# Test bind
$context=dotNetDomainBind
if($context){
$validatedAccount = $context.ValidateCredentials($userName,$plainTextPassword)
}else{
$validatedAccount=isValidCred -u $userName -p $plainTextPassword
}
If ($validatedAccount) {
$isDomainAdmin=isDomainAdmin -username $userName;
if($isDomainAdmin){
$credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $userName,$password;
$validAccount=$true;
}else{
$failureMessage += "$attempt out of $maxAttempts`: $userName account is valid, but it is not a Domain Admin";
}
}else{
$failureMessage += "$attempt out of $maxAttempts`: username and/or password error";
}
}catch{
$failureMessage += "Unable to bind to $env:USERDOMAIN.";
}
# Depending on whether there are failures, proceed accordingly
if($failureMessage){
If ($attempt -lt $maxAttempts-1) {
$message = "$failureMessage`: Authentication error. Please Try again.";
Write-Warning $message;
} elseif ($attempt -eq $maxAttempts-1){
$message = "$failureMessage`: Last attempt.";
Write-Warning $message;
$credentials= $false;
}
}
} Until (($ValidAccount) -or ($Attempt -eq $MaxAttempts))
if($credentials){return $credentials;}else{return $false}
}
Function includeActiveDirectoryModule{
if (!(get-module -Name "ActiveDirectory") ){
try{
Install-WindowsFeature ActiveDirectory -ErrorAction Stop | out-null;
Import-Module ActiveDirectory -ErrorAction Stop | out-null;
return $true;
}catch{
$rsatFailoverClusterInstalled=(Get-WindowsCapability -name Rsat.FailoverCluster* -online).State;
$wuRegistryHive="REGISTRY::HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU"
$wuKey="UseWUServer"
$currentWu = Get-ItemProperty -Path $wuRegistryHive -Name $wuKey -ErrorAction SilentlyContinue | select -ExpandProperty UseWUServer
if($currentWu){
Set-ItemProperty -Path $wuRegistryHive -Name $wuKey -Value 0;
Restart-Service wuauserv;
}
Get-WindowsCapability -Name Rsat.ActiveDirectory* -Online | Add-WindowsCapability –Online
if($currentWu){
Set-ItemProperty -Path $wuRegistryHive -Name $wuKey -Value $currentWu;
Restart-Service wuauserv;
}
try {Import-Module ActiveDirectory}catch{
return $false;
};
}
}else{
write-host "ActiveDirectory Module is available on this computer.";
return $true;
}
}
$credential=obtainDomainAdminCredentials;
$username=$credential.Username;
$plaintextPassword=$credential.GetNetworkCredential().password;
Categories: