<# .SYNOPSIS Tests user credentials against Active Directory

1. <#
2.     .SYNOPSIS
3.         Tests user credentials against Active Directory
4.     .DESCRIPTION
5.         This version of the script does NOT requires the ActiveDirectory PowerShell module to be present.
6. #>
7. [CmdletBinding()]
8. param
9. (
10.     [parameter(Mandatory=$true,Position=0)]
11.     [ValidateScript({
12.         $null -ne $_.Password -and $_.UserName -like "*\*"
13.     })]
14.     [PSCredential] $Credential
15.     ,
16.     [parameter(Mandatory=$false,Position=1)]
17.     [string] $FQDomainName
18. )
19. #Parse provided user credentials
20. $NetBIOSDomain = $Credential.UserName.Split('\')[0]
21. $UserName = $Credential.UserName.Split('\')[-1]
22. $Password = $Credential.GetNetworkCredential().Password
23. if ($PSBoundParameters["FQDomainName"])
24. {
25.    # Separate and form DN
26.    $names = $FQDomainName.Split('.')
27.    $new=@()
28.    for ($i=0; $i -lt $names.Length; $i++)
29.    {
30.        $name = $names[$i]
31.        $new += "DC=$name"
32.    }
33.    $result = $new -join ','
34.    # Now test it
35.    $test = [ADSI]::new("LDAP://$result")
36.    $dn = $test.distinguishedName
37. }
38. else
39. {
40.    # Use the current domain
41.    $adsi = [ADSI]''
42.    $dn = $adsi.distinguishedName
43. }
44. Write-Verbose $($dn | Out-String)
45. Write-Host "`nChecking Credentials for $NetBIOSDomain\$UserName" -BackgroundColor Black -ForegroundColor Yellow
46. Write-Host "***************************************"
47. $bind = New-Object System.DirectoryServices.DirectoryEntry(
48.    "LDAP://$dn", $UserName, $Password
49. )
50. try
51. {
52.    $bind.RefreshCache()
53. }
54. catch
55. {
56.    $msg = $_.Exception.Message
57.    Write-Host "Authentication Result: " -f Yellow -NoNewLine
58.    Write-Host "FAILURE!" -f Red
59.    if ($msg -like "*user name or password is incorrect*")
60.    {
61.        Write-Host "The username or password is incorrect!" -f Red
62.    }
63.    else
64.    {
65.        Write-Host $_.Exception.Message -f Red
66.    }
67.    break
68. }
69. Write-Verbose "Domain $dn was found: True"
70. # Search for User Account -- the script invoker must have READ access to the queried domain
71. $search = New-Object System.DirectoryServices.DirectorySearcher
72. $search.Filter = "(&(objectClass=user)(sAMAccountName=$UserName))"
73. $search.SearchRoot = "LDAP://$dn"
74. $user = $search.FindOne()
75. $userActControl = $user.Properties.useraccountcontrol[0]
76. if (([int]$userActControl -band 2) -ne 0)
77. {
78.    Write-Host "User Enabled: " -NoNewLine -f Yellow
79.    Write-Host "False" -f Red
80.    Write-Host "Authentication Result: " -f Yellow -NoNewLine
81.    Write-Host "FAILURE!" -f Red
82.    break
83. }
84. else
85. {
86.    Write-Host "User Enabled: " -NoNewLine -f Yellow
87.    Write-Host "True" -f Green
88. }
89. if ($null -ne $user.Properties.lockouttime)
90. {
91.    Write-Host "User Locked: " -NoNewLine -f Yellow
92.    Write-Host "True" -f Red
93.    Write-Host "Authentication Result: " -f Yellow -NoNewLine
94.    Write-Host "FAILURE!" -f Red
95.    break
96. }
97. else
98. {
99.    Write-Host "User Locked: " -NoNewLine -f Yellow
100.    Write-Host "False" -f Green
101.    Write-Host "Authentication Result: " -f Yellow -NoNewLine
102.    Write-Host "SUCCESS!" -f Green
103. }