#PSTip Verify Active Directory account credentials using System.DirectoryServices.DirectoryEntry

The System.DirectoryServices.AccountManagement namespace provides a nice way of testing if a set of Active Directory credentials are correct (also discussed in PSTip Validating Active Directory user credentials ). Another method is utilizing the System.DirectoryServices.DirectoryEntry class to create an LDAP connection to the default domain. By default every user should be able to access this entry and therefore this can be used to verify the Active Directory credentials of a user account. The following example will show the basic workings of the class.

PS > $DomainDN = ([adsi]'').distinguishedName
PS > New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainDN",'jaapbrasser','Secret01')
format-default : The following exception occurred while retrieving member "distinguishedName": "The user name or password is incorrect."
    + CategoryInfo          : NotSpecified: (:) [format-default], ExtendedTypeSystemException
    + FullyQualifiedErrorId : CatchFromBaseGetMember,Microsoft.PowerShell.Commands.FormatDefaultCommand

Unlike System.DirectoryServices.AccountManagement, the output is not $true or $false. Instead, an error is generated if the class is provided with incorrect credentials. If the credentials are correct the returned object will contain the distinguishedName property, this property will be used to create the Boolean output.

$DomainDN = ([adsi]'').distinguishedName
$Account = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$DomainDN",'jaapbrasser','Secret01')
[bool]$Account.distinguishedName

Now we get output similar to what the System.DirectoryServices.AccountManagement class provides. This is obviously more work to implement but you can wrap this in a function and reuse it when needed. An advantage of this class is that no additional DLLs are required for this script to function.

Share on: