How to check entered credentials for administrator privilege

I am using Get-Credential to require my operator to provide his AD creds before running my script; some of the actions in my script require admin privilege.

Thanks to folks here, I have successfully attained credential input and validated name and password against AD.

Next, I’d like to take that valid AD identity and confirm it has administrator privilege - specifically privilege to change computer name and some of the Computer Object attributes (Location, description, managed by, etc.)

Can’t figure out how to test the privilege of the identity now that I know it’s a valid AD account.

Here is the pertinent code I’m using:
First get ID and PW from the operator

$OpCreds = Get-Credential -ErrorAction SilentlyContinue

Then I test that the operator’s username/password combination is valid

$username = $OpCreds.username
$password = $OpCreds.GetNetworkCredential().password
$CurrentDomain = LDAP:// + ([ADSI]).distinguishedName
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,$UserName,$Password)|

So, at this point, $domain is not $null and I know that the operator entered a valid username/password. Next, I need to determine if the operator has Admin Privilege.

Suggestions?

—K

If the script is meant to run local commands that require admin privileges then just add
#require -RunAsAdministrator
as the first line in the script

1 Like

Just for clarification - when you say “has Admin privilege” do you mean:

  • is running the PowerShell session elevated (run as Admin)
  • is a member of the local Administrators group on the computer
  • is a member of an AD Administrators group

Powershell is running as admin which would imply the credentials provided or the user in use is a privileged user

Based on my interpretation, OP is wanting to check if the account has rights to 1) Change the computer name and 2) update some AD attributes for the computer account. I personally wouldn’t check if they have privileges, I would simply try the action and handle errors. If the account doesn’t have the rights, you’ll find out.

3 Likes

Thanks - a fresh brain this morning caught what I missed yesterday in the initial post about what was needed. I agree - the use of some try/catch logic around those calls would be a good way to handle “can these creds do these things” in the code.

Here’s my take, with the assistance of CoPilot, on the OP’s question using the OP’s previously submitted code extract:

function Test-DomainAdminRights {
    param (
        [string[]]$GroupNames = @("Administrators", "Enterprise Admins", "Domain Admins")
    )

    # Prompt for user credentials
    $OpCreds = Get-Credential -ErrorAction SilentlyContinue
    $username = $OpCreds.username
    $password = $OpCreds.GetNetworkCredential().password
    $CurrentDomain = "LDAP://" + ([ADSI]).distinguishedName
    $domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain, $username, $password)

    try {
        # Create a context for the specified domain
        $context = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain, $domain)

        # Validate the credentials
        if ($context.ValidateCredentials($username, $password)) {
            # Check if the user is a member of any of the specified groups
            $userPrincipal = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($context, $username)
            $isAdmin = $false

            foreach ($groupName in $GroupNames) {
                $groupPrincipal = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($context, $groupName)
                if ($userPrincipal -and $groupPrincipal -and $groupPrincipal.Members.Contains($userPrincipal)) {
                    $isAdmin = $true
                    break
                }
            }

            if ($isAdmin) {
                Write-Output "The user has administrative rights on the domain."
            } else {
                Write-Output "The user does not have administrative rights on the domain."
            }
        } else {
            Write-Output "Invalid credentials."
        }
    } catch {
        Write-Output "An error occurred: $_"
    }
}

Yes, I use AI when fighting with code. I usually start with a detailed pseudo-code outline of exactly what I’m trying/want to do. Then I test the raw AI-generated code using VS Code, clean up the crap, test again, streamline, then test again.

AI is a great tool, but it is completely incapable of creative thought, abstract reasoning to a degree, and critical thinking. Pretty much useless if one doesn’t have a reasonable grasp of the basic theory/logic of the question.

A couple of examples:

  • Students are permitted to use calculators during Algebra, Geometry, Trig, or Chemistry exams. But, if said students don’t have a firm grasp of the theory involved, i.e. how to properly ask the question, calculators are effectively worthless.
  • Backhoes with augurs are great for digging holes, but said backhoes with augurs won’t do you a damn bit of good if you’re not digging in the right place. :wink:

It sounds like you’ve made great progress with validating the credentials against Active Directory using Get-Credential. Now, to check if the provided AD account has the necessary administrative privileges, you can try using Get-ADUser or Get-ADGroupMember to see if the user is part of the required groups, like “Domain Admins” or a specific group with permissions to change computer names or modify Computer Object attributes. Another approach is to use Test-ADCredential and then check the user’s group memberships against a list of groups with the privileges needed for those tasks. You could also script a check for the user’s permissions directly on the Computer Object in Active Directory.