I am using Get-Credential to require my operator to provide his AD creds before running my script; some of the actions in my script require admin privilege.
Thanks to folks here, I have successfully attained credential input and validated name and password against AD.
Next, I’d like to take that valid AD identity and confirm it has administrator privilege - specifically privilege to change computer name and some of the Computer Object attributes (Location, description, managed by, etc.)
Can’t figure out how to test the privilege of the identity now that I know it’s a valid AD account.
Here is the pertinent code I’m using:
First get ID and PW from the operator
So, at this point, $domain is not $null and I know that the operator entered a valid username/password. Next, I need to determine if the operator has Admin Privilege.
Based on my interpretation, OP is wanting to check if the account has rights to 1) Change the computer name and 2) update some AD attributes for the computer account. I personally wouldn’t check if they have privileges, I would simply try the action and handle errors. If the account doesn’t have the rights, you’ll find out.
Thanks - a fresh brain this morning caught what I missed yesterday in the initial post about what was needed. I agree - the use of some try/catch logic around those calls would be a good way to handle “can these creds do these things” in the code.
Here’s my take, with the assistance of CoPilot, on the OP’s question using the OP’s previously submitted code extract:
function Test-DomainAdminRights {
param (
[string[]]$GroupNames = @("Administrators", "Enterprise Admins", "Domain Admins")
)
# Prompt for user credentials
$OpCreds = Get-Credential -ErrorAction SilentlyContinue
$username = $OpCreds.username
$password = $OpCreds.GetNetworkCredential().password
$CurrentDomain = "LDAP://" + ([ADSI]).distinguishedName
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain, $username, $password)
try {
# Create a context for the specified domain
$context = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain, $domain)
# Validate the credentials
if ($context.ValidateCredentials($username, $password)) {
# Check if the user is a member of any of the specified groups
$userPrincipal = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($context, $username)
$isAdmin = $false
foreach ($groupName in $GroupNames) {
$groupPrincipal = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($context, $groupName)
if ($userPrincipal -and $groupPrincipal -and $groupPrincipal.Members.Contains($userPrincipal)) {
$isAdmin = $true
break
}
}
if ($isAdmin) {
Write-Output "The user has administrative rights on the domain."
} else {
Write-Output "The user does not have administrative rights on the domain."
}
} else {
Write-Output "Invalid credentials."
}
} catch {
Write-Output "An error occurred: $_"
}
}
Yes, I use AI when fighting with code. I usually start with a detailed pseudo-code outline of exactly what I’m trying/want to do. Then I test the raw AI-generated code using VS Code, clean up the crap, test again, streamline, then test again.
AI is a great tool, but it is completely incapable of creative thought, abstract reasoning to a degree, and critical thinking. Pretty much useless if one doesn’t have a reasonable grasp of the basic theory/logic of the question.
A couple of examples:
Students are permitted to use calculators during Algebra, Geometry, Trig, or Chemistry exams. But, if said students don’t have a firm grasp of the theory involved, i.e. how to properly ask the question, calculators are effectively worthless.
Backhoes with augurs are great for digging holes, but said backhoes with augurs won’t do you a damn bit of good if you’re not digging in the right place.
It sounds like you’ve made great progress with validating the credentials against Active Directory using Get-Credential. Now, to check if the provided AD account has the necessary administrative privileges, you can try using Get-ADUser or Get-ADGroupMember to see if the user is part of the required groups, like “Domain Admins” or a specific group with permissions to change computer names or modify Computer Object attributes. Another approach is to use Test-ADCredential and then check the user’s group memberships against a list of groups with the privileges needed for those tasks. You could also script a check for the user’s permissions directly on the Computer Object in Active Directory.