Home / server / Questions / 410240
Accepted
wiki
Asked: 2012-07-24 02:00:21 +0800 CST

Is there a Windows command line utility to verify user credentials?

  • 772

On a Windows platform, is there any command line utility that I can pass a username, password domain name to in order to verify the credentials (or possibly give an error that the account is disabled, doesn't exist or expired)?

windows

6 Answers

  1. Best Answer

    You could use the net use command, specifying the username and password on the command-line (in the form net use \\unc\path /user:username password and check the errorlevel returned to verify if a credential is valid.

    The runas command would work, too, except that you're going to have a tougher time testing the output.

    Testing a credential for the existence of an account would be a matter of using net user or dsquery. The net user command won't tell you if an account is locked out, but querying the lockoutTime attribute of the user account could tell you that.

    • 24

  2. In Powershell:

    Function Test-ADAuthentication {
    param($username,$password)
    (new-object directoryservices.directoryentry "",$username,$password).psbase.name -ne $null
    }

PS C:\> Test-ADAuthentication "dom\myusername" "mypassword"
True
PS C:\>

    Reference: https://stackoverflow.com/questions/7663219/how-to-authenticate-an-user-in-activedirectory-with-powershell

    • 19

  3. Try this:

    net use \\%userdnsdomain% /user:%userdomain%\%username% *

    %Errorlevel% is 0 if password is Ok.

    Asterisk at the end of the sentence forces to ask for password.

    • 3

  4. cmdkey is the cmd-line interface for adding, removing, listing credentials that are used for things like net use or remote desktop.

    cmdkey /target <domain> /user:<username> /pass:<pass> will add the credentials for a domain

    Then using net use <domain UNC> won't require the subsequent credential passage.

    I believe it is named cmdkey as it is command-line way of adding keys/credentials.

    • 2

  5. Just wanted to add that since AD is an LDAP server, you can use an LDAP command line tool to 'bind' to it, thus confirming whether or not it is active. You can also bind as a user with higher privileges and then seach AD using LDAP principles.

    But hey-- nothing wrong with Powershell!

    • 1

  6. Further to PsychoData's comment above.

    I need to test a service account which is part of a "no interaction" AD group that has been given access to a share that is not available from any VM that I can use to test. I had to use this syntax to confirm the password was correct;

    runas /noprofile /netonly /user:domain\serviceaccount cmd

    I can confirm that if the pwd is correct, this pops up a cmd window

    Other syntaxes (including the NET USE syntax) gave me various ambigous results.

    • 0