Alternate credentials for AD cmdlets

By default, AD cmdlets use your current credentials. This is great and handy (I can just run Get-QADUser as the new command and it will work) but quite often you might want to specify another username/password. For example, when what you are planning to do requires a privileged account and the default account with which you logged in is just a Domain User.

Well, as usual, Connect-QADService is here to help. There are two ways you can specify the credentials. As a username/password pair:

$pw = read-host "Enter password" -AsSecureString connect-QADService -service 'server.company.com'-ConnectionAccount 'company\administrator'-ConnectionPassword $pw

Or use the Get-Credential cmdlets which will display the familiar dialog box:

Connect-QADService -service 'server.company.com' -Credential ( Get-Credential )

Once you’ve run any of those all your subsequent AD cmdlets run under this new account until you run Disconnect-QADService which removes the connection and brings you back to the defaults:

Connect-QADService -service 'server.company.com' -Credential ( Get-Credential )

# now we are using the specified credentials

Get-QADUser

Disconnect-QADService

# now we are back to the current account

Tags: oneliner, AD cmdlets, cmdlets, one-liner, PowerShell, AD, Active Directory, Examples

My Recent Tweets

@JazonTWong @apisecurityio And also the attacker had to test their membership hypothesis for a specific group. Ther… twitter.com/i/web/status/1… 10 months ago

@JazonTWong @apisecurityio They made it lower because the attacker needs to be connected to the victim. However, st… twitter.com/i/web/status/1… 10 months ago

@hakluke apisecurity.io by @apisecurityio 10 months ago

@TheMarkONeill The ToC part of the web page definitely needs some fixing ;) Great report, Mark! (As always) Thanks for sharing! 10 months ago

RT @PenTestPartners: We're hiring for 3 roles: • Pen Testing Consultant • Red Team Support • Digital Forensic & Incident Response (DFIR) Co… 10 months ago

4 Responses to “Alternate credentials for AD cmdlets”

Feed for this Entry Trackback Address

1 Rick September 10, 2007 at 11:09 am

And it looks so easy. I’ve tried to connect to a different domain with this cmdlet. I can connect, but as soon I try to list all machines in a certain OU with get-qadcomputer , it tells me the domain does not exist. Listing *all* computers in the domain does work, however…

2 dmitrysotnikov September 10, 2007 at 12:52 pm

Rick,

This looks very similar to the issue discussed in this forum thread: http://powergui.org/thread.jspa?threadID=4286&tstart=0

So it looks like there is some kind of issue. If you could post to the forum with the specific commands you are using and some description of your configuration, the guys there should be able to reproduce the bug and fix it as well as hopefully suggesting workaround so you are not stuck until you get the fix.

Dmitry

3 Anonymous August 15, 2011 at 10:31 pm

Hi
I know this is an old thread but is there a way to run a script under the context of a different user without having to answer the prompts. IE: I have an app that is running under local admin and i need it to run a script to query ad to see if a computer is there and just return its standard output?
it will run a = (get-qadcomputer computername).type
is this possible?

- 4 Anonymous October 4, 2011 at 2:45 pm
  
  Hi All,
  does someone has an answer to this point ?
  
  Thanks a lot for all of us 🙂
  Seb

M	T	W	T	F	S	S
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30

Dmitry's Blog: Cloud, PowerShell and beyond