32

On a Windows platform, is there any command line utility that I can pass a username, password domain name to in order to verify the credentials (or possibly give an error that the account is disabled, doesn't exist or expired)?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
wiki
  • 473
  • 1
  • 4
  • 7
  • 2
    Why would *you* need to verify anyone's credentials but your own. As a responsible and respectable SysAd, you have no need to know anyone else's credentials (except perhaps root or the Domain Admin accounts). – gWaldo Jul 23 '12 at 10:34
  • 9
    @gWaldo: I came here as a software engineer who is writing an installer program which asks a user for the credentials of an existing machine account, which we then subsequently store (encrypted) for code-level Win32 API impersonation calls. I found this question and answer relevant and useful, as well as legitimate. – Mike Atlas Oct 10 '12 at 13:44
  • 2
    I set up users with a default password and instructed them to change it. Now a couple weeks later, I want to know who has and who hasn't. – Mark Berry Oct 21 '14 at 21:44
  • @MarkBerry you should just tick the checkbox in the user profile forcing them to change their password on the next logon. – Craig Tullis Sep 25 '15 at 08:24
  • 3
    @Craig, even if I force them to change their password at login, that still doesn't guarantee that they have logged in a week or a month later; I need a way to check from the command line. Forced password change can even lock out remote users if Network Level Authentication is enabled. And sometimes, the company (customer) requires a softer touch than forcing a password change. – Mark Berry Sep 25 '15 at 22:13
  • @MarkBerry that changes the picture a little bit. IMHO, "softer touch" probably equates to "weaker security," just for the record. ;-) But you could tick the checkbox, then run queries using `dsquery` or `net user /domain` to see when they last logged in. If they have logged in, you know their password changed. If they have NOT logged in, then you know their password has NOT changed. And you can do that without having to retain any knowledge of anybody's password. – Craig Tullis Sep 25 '15 at 22:22
  • In fact, this query will show you whether the account is set to "must change password." If no, then they have logged in and changed their password. If yes, then they have NOT logged in and changed their password: `dsquery user -samid johndoe | dsget user -mustchpwd` – Craig Tullis Sep 25 '15 at 22:27
  • And this one will give you a report of all the users in your domain, and whether or not they're required to change their password. Pass this through a grep, find or findstr filter and you'll have a list of just the accounts that have not changed their password: `dsquery user | dsget user -samid -mustchpwd` – Craig Tullis Sep 25 '15 at 22:30
  • "Soft"/weak is relative. In my case, I was trying to move a small company from "everyone has the same known password" to "let's learn to improve security with unique passwords." I wound up going with a PowerShell script based on one of the answers below. If the default password still works, I know they haven't changed it yet. – Mark Berry Sep 26 '15 at 20:35

6 Answers6

24

You could use the net use command, specifying the username and password on the command-line (in the form net use \\unc\path /user:username password and check the errorlevel returned to verify if a credential is valid.

The runas command would work, too, except that you're going to have a tougher time testing the output.

Testing a credential for the existence of an account would be a matter of using net user or dsquery. The net user command won't tell you if an account is locked out, but querying the lockoutTime attribute of the user account could tell you that.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • 12
    `runas /user:username cmd` will open a new command line window as `username` if you provide the valid password and that user can login to this computer. I commonly will open a shell to test that the password is still the default based on their personal info that I can look up. – PsychoData Feb 10 '15 at 21:41
  • For me multitime run command return 'Multiple connections to a server or shared resource by the same user' please call `net use /delete \\unc\path` before retry. – themadmax Oct 05 '20 at 07:11
  • I agree with the comment on Feb. 10, 2015 about using `runas /user:username cmd`. It works great for local accounts, I haven't tried it for domains. If the validation fails, it will usually give a good reason why, for example it might say: "The user's password must be changed before signing in." – Gen1-1 Apr 14 '22 at 15:55
  • net use \\unc\path /user:username password always return `System error 53 has occurred. The network path was not found.` with every username/password I type, event unreal user? – Pham X. Bach Jul 06 '22 at 09:55
19

In Powershell:

Function Test-ADAuthentication {
    param($username,$password)
    (new-object directoryservices.directoryentry "",$username,$password).psbase.name -ne $null
    }

PS C:\> Test-ADAuthentication "dom\myusername" "mypassword"
True
PS C:\>

Reference: https://stackoverflow.com/questions/7663219/how-to-authenticate-an-user-in-activedirectory-with-powershell

Community
  • 1
user224310
  • 299
  • 3
  • 3
  • I'm getting `ObjectNotFound: (Test-ADAuthentication:String) [], CommandNotFoundException` here. Does this exclusively work on a domain controller and not for local accounts? – SaAtomic Jun 12 '17 at 05:41
  • 1
    @SaAtomic You need to define the function in your session before running it. `Test-ADAuthentication` is not built into powershell – Kellen Stuart Sep 27 '17 at 19:51
  • 1
    One thing I really don't like about your answer is you don't read the password in as a secure string. Plain text passwords are always a bad idea. `$pass = Read-Host -assecurestring 'Enter password'` – Kellen Stuart Sep 27 '17 at 19:52
  • This answer does not contain all code required – Nick.McDermaid Jul 15 '22 at 02:23
3

Try this:

net use \\%userdnsdomain% /user:%userdomain%\%username% *

%Errorlevel% is 0 if password is Ok.

Asterisk at the end of the sentence forces to ask for password.

Vicente G.
  • 31
  • 1
2

cmdkey is the cmd-line interface for adding, removing, listing credentials that are used for things like net use or remote desktop.

cmdkey /target <domain> /user:<username> /pass:<pass> will add the credentials for a domain

Then using net use <domain UNC> won't require the subsequent credential passage.

I believe it is named cmdkey as it is command-line way of adding keys/credentials.

Jordan Stefanelli
  • 21
  • 1
1

Just wanted to add that since AD is an LDAP server, you can use an LDAP command line tool to 'bind' to it, thus confirming whether or not it is active. You can also bind as a user with higher privileges and then seach AD using LDAP principles.

But hey-- nothing wrong with Powershell!

Gerard ONeill
  • 133
  • 4
0

Further to PsychoData's comment above.

I need to test a service account which is part of a "no interaction" AD group that has been given access to a share that is not available from any VM that I can use to test. I had to use this syntax to confirm the password was correct;

runas /noprofile /netonly /user:domain\serviceaccount cmd

I can confirm that if the pwd is correct, this pops up a cmd window

Other syntaxes (including the NET USE syntax) gave me various ambigous results.

Nick.McDermaid
  • 221
  • 1
  • 2
  • 10