I am using the snippet below currently and it works well except for users in the Protected Users group. Does anyone have a good way to check on protected users?
I am thinking of trying to send a NOOP command like Invoke-Command -Credential <credObject> -ComputerName <someDC> -ScriptBlock {Get-ChildItem} in a try/catch but that takes finding a DC then sending out the command and seems sloppy.
Don’t know. It’s likely expected behavior though. We’d have to know how that method works under the hood. c# - PrincipalContext.ValidateCredentials always returns FALSE - Stack Overflow may have some hints as there’s a response that does have details on how it works supposedly. Cross that with docs on protected users you might be able to find out why.
Is this for some application you’re building or what exactly? Perhaps there are other alternatives for validating creds.
Yes, I was talking about the AD group, yes it sucks. It is mandatory for our DC Admin accounts.
Thank you dotnVo for the link, it was helpful in learning a little more on what the code is doing but after looking at it and reading more on the restrictions on the protected users group I don’t see it working.
“what exactly” I am building, rather upgrading, a tool for our administrators to do routine tasks a little faster and uniformly. When opening the script they are prompted to enter any credentials they would need for the tasks they are doing in the moment. Before the credentials are used I would like to check them as it is common to have many invoke-command s going out. A miss typed password would instantly lock the account.
I ended up making a sloppy work around with Invoke-Command -Credential <credObject> -ComputerName <someDC> -ScriptBlock {Get-ChildItem} in a try/catch block. It just feels bad, I might just tell the domain admins they don’t get to check the password before running the script.