Powershell - Test user credentials in AD, with password reset

Question

I can successfully use Powershell to tell if a user authenticates in Active Directory:

Function Test-ADAuthentication {
    param($username,$password)
    (new-object directoryservices.directoryentry "",$username,$password).psbase.name -ne $null
}

Test-ADAuthentication "test" "Password1"

However, I cannot for the life of me figure out how to:

1. Check if the password needs to be reset, while
2. Verifying the credentials sent did work on their last password.

How could one go about this?

Answer 1

Credentials can be tested by running a process. An example below,

Start-Process -FilePath cmd.exe /c -Credential (Get-Credential -UserName $username -Message 'Test Credential')

Or simply:

Start-Process -FilePath cmd.exe /c -Credential (Get-Credential)

You will be presented with a prompt to enter a password. If you need read the password from a string (bad practice), you need to initialize the credential object beforehand. More details on that method can be found in the help.

Get-Help Get-Credential

Answer 2

Here's a way to get the remaining days for a given user before they password expires:

(([datetime]::FromFileTime((Get-ADUser user -Properties "msDS-UserPasswordExpiryTimeComputed")."msDS-UserPasswordExpiryTimeComputed")) - (Get-Date)).TotalDays

If the number is 0 or negative, then the password has expired.

This command will check if the user account is locked:

(Get-ADUser user -Properties LockedOut).LockedOut

As for the second question - if I understand correctly you want to see if their currently entered password is the same as the previously used one.

This is not possible as far as I know - with certain policies AD can keep record of previous passwords, but they are not exposed for external access.