How to Validate Windows User Credentials via Command Line: Username/Password/Domain Verification


1 views

Windows provides several built-in methods to verify user credentials programmatically:

runas /user:DOMAIN\\username "cmd /k echo Success"

The runas command will prompt for password input and return error codes:

  • 1326: Logon failure (invalid credentials)
  • 1331: Account disabled
  • 1327: User must change password

For more control, use PowerShell with .NET authentication:

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$context = New-Object System.DirectoryServices.AccountManagement.PrincipalContext(
    [System.DirectoryServices.AccountManagement.ContextType]::Domain,
    "DOMAIN"
)
$context.ValidateCredentials("username", "password")

For enterprise environments, compile this C# validator:

using System;
using System.DirectoryServices.AccountManagement;

class CredValidator {
    static int Main(string[] args) {
        if (args.Length != 3) {
            Console.WriteLine("Usage: validator.exe domain username password");
            return 1;
        }

        using (var context = new PrincipalContext(ContextType.Domain, args[0])) {
            if (context.ValidateCredentials(args[1], args[2])) {
                Console.WriteLine("Valid credentials");
                return 0;
            } else {
                Console.WriteLine("Invalid credentials");
                return 2;
            }
        }
    }
}

When implementing credential verification, handle these common scenarios:

  • Account lockout policies (prevent brute force attempts)
  • Password expiration notifications
  • Domain controller availability
  • SSL/TLS requirements for secure transmission

Always follow these guidelines:

# Never store passwords in scripts
# Use secure string in PowerShell:
$cred = Get-Credential
# Implement proper logging without password retention
# Consider using Windows Credential Manager for storage

When automating Windows administration tasks, we often need to verify credentials before allowing operations. While GUI tools exist, command-line solutions are essential for scripting scenarios. Let's explore the available options.

Windows provides several built-in methods for credential verification:

1. RUNAS Command (Basic Check)

The simplest approach uses the runas command with /savecred:

runas /user:DOMAIN\username /savecred "cmd /c exit"

This attempts to start a process with the credentials. Note that /savecred caches credentials.

2. PowerShell Test-WSMan (Modern Approach)

For newer systems, PowerShell offers cleaner solutions:

$cred = Get-Credential
Test-WSMan -ComputerName localhost -Credential $cred -Authentication Default

This returns detailed success/failure information.

For more control, consider these techniques:

Windows API via C#

Create a simple C# console app using LogonUser API:

using System;
using System.Runtime.InteropServices;

class CredValidator {
    [DllImport("advapi32.dll", SetLastError=true)]
    static extern bool LogonUser(
        string lpszUsername,
        string lpszDomain,
        string lpszPassword,
        int dwLogonType,
        int dwLogonProvider,
        out IntPtr phToken);
    
    public static bool Validate(string domain, string user, string pass) {
        IntPtr token;
        return LogonUser(user, domain, pass, 2, 0, out token);
    }
}

Proper credential validation should distinguish between:

  • ERROR_LOGON_FAILURE (wrong password)
  • ACCOUNT_DISABLED
  • PASSWORD_EXPIRED
  • NO_SUCH_USER

Always remember:

  • Never store passwords in scripts
  • Use secure string handling
  • Consider certificate-based authentication where possible
  • Audit all credential validation attempts