Two-Factor Authentication with PowerShell

Another Quest product turned out to be PowerShell-enabled – Quest Defender. Defender is basically a two-factor authentication solution for network, web and application access supporting various kinds of tokens.

Anyways, the cool thing is that the team did not have to do anything to get PowerShell interface for their product. Because they store all configuration data in AD, QAD cmdlets are more or less all they need.

For example, this simple script lists all tokens and users to which they are assigned:

foreach ($token in 
    (Get-QADObject -IncludeAllProperties -Type "defender-tokenClass"))
{ Write-Output $token.Name $token."defender-tokenUsersDNs" }

Dmitry Kagansky has posted this and a few other sample scripts here.

This is a very cool eco-system/re-use example. If your product stores all configuration in Active Directory, you can just re-use AD cmdlets and you are all set.

Well, obviously Dmitry could make things even easier by wrapping his (albeit simple) scripts into PowerShell v2 advanced functions with whatif/confirm support, help, tab-completion (in case of PowerGUI editor, intellisense ;)) and so on.

Tags: , , ,

8 Responses to “Two-Factor Authentication with PowerShell”

  1. 1 MattS January 23, 2010 at 1:43 am

    Is there any capability to access Defender “HelpDesk” capabilities with PowerShell? This would allow my company to integrate Defender function into an existing HelpDesk application.

  2. 2 Stu January 27, 2010 at 10:45 am

    Nothing exists in Defender currently, however we plan to release the following set of PowerShell cmdlets within the next few months:

    Add-TokenToUser – Assigns a Defender token to a user.
    Add-TokenToUserBatch – Assigns a list of Defender tokens to a list of users.
    Remove-TokenFromUser – Unassigns a Defender token from a user.
    Remove-TokenFromUserBatch – Unassigns a list of Defender tokens from a list of users.
    Remove-AllTokensFromUser – Unassigns all Defender token from a user.
    Set-DefenderPassword – Sets the Defender password for a user or all users in a group.
    Remove-DefenderPassword – Deletes the Defender password for a user or all users in a group.
    Set-PINOnUserToken – Sets a user’s PIN for an assigned token.
    Get-TokensForUser – List Defender tokens assigned to a user.
    Get-UsersForToken – List users assigned to a Defender token.
    Test-DefenderToken – Tests a Defender token’s response.
    Get-DefenderLicense – Gets information on the current Defender user license.
    Get-ExpiredSoftwareTokens – Gets Defender software tokens with expired activation codes.

    The cmdlets will be available for free download from:

  3. 3 MattS June 3, 2010 at 6:53 pm

    Any update on the availability of the new cmdlets?

  4. 4 Stu June 4, 2010 at 9:51 am

    Hi Matt,

    Yes, the latest is that we’ll have further cmdlts out in the late summer. I’ll make sure to update this post as soon as they ship.



  5. 5 MattS October 27, 2010 at 2:35 pm

    I know you said you update this post, but summer has come and gone. It is very difficult to manually manage a large user base.

  6. 7 Stu November 3, 2010 at 4:26 pm

    Hi Matt,

    We’ve been extremely busy over the summer getting ready for the next Defender release (v.5.6) which is scheduled to go GA this month.

    A great deal of our time and effort has gone into creating an entirely new token deployment system to alleviate the admin burden of getting users HW & SW tokens. We believe this new system will offer significant benefit over and above trying to do automated deployment and management using PowerShell, hence we’ve made this one of our primary focus points over the last few months.

    That being said, we are definitely still committed to providing more PowerShell scripts like the one you’ve requested, it’s just taking us a little longer than anticipated with everything else that’s been going on.



  1. 1 PowerShell for Multi-Factor Authentication solution updated « Dmitry’s PowerBlog: PowerShell and beyond Trackback on July 2, 2011 at 12:22 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

July 2009
« Jun   Aug »

%d bloggers like this: