Drive Mapping PowerShell Script Locking Domain Account

I created a number of drive mapping scripts since my job requires accessing a large number of files on different servers, in a separate domain, based on the task at hand.  After fat-fingering my password into Get-Credential a few times and locking my account in the other domain, I added code to test my credentials prior to executing the series of New-PSDrive commands.  Since then, I have noticed my account getting locked after running the scripts, despite using the correct username and password.  Here is the sanitized code I am using:

Write-Host "Press any key to enter <Second Domain> credentials and map <Second Domain> domain drives..."
$x = $host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

## Prompt for credentials
$Credential = $host.ui.PromptForCredential("Need <Second Domain> credentials", "Please enter MCG\username and password.", "", "")
$UserName = $Credential.UserName
$Password = $Credential.GetNetworkCredential().password
$CurrentDomain = "LDAP://DC=<Second Domain>,DC=com"
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,$UserName,$Password)

if ($domain.name -eq $null)
{
write-output "Authentication failed - please verify your username and password."
exit #terminate the script.
}
else
{
write-output "Successfully authenticated with domain " $domain.name
}

## Map Drives in <Second Domain> domain using credentials supplied via pop-up
New-PSDrive -Name H -PSProvider FileSystem -Root \\<Server Name>.<Second Domain>.com\C$ -Credential $Credential -Persist
New-PSDrive -Name I -PSProvider FileSystem -Root \\<Server Name>.<Second Domain>.com\C$ -Credential $Credential -Persist
New-PSDrive -Name J -PSProvider FileSystem -Root \\<Server Name>.<Second Domain>.com\E$ -Credential $Credential -Persist
New-PSDrive -Name K -PSProvider FileSystem -Root \\<Server Name>.<Second Domain>.com\F$ -Credential $Credential -Persist

When I watch the logs on the domain controllers, I see a failed logon using credentials for the domain I am in followed by a successful logon using the supplied credentials for each New-PSDrive command executed.

Can somebody help me understand what is going on here and why the account I supplied credentials for is getting locked out?

July 28th, 2015 5:54pm

Why are you trying to log into the domain with LDAP?  That is not needed to map drives.

Free Windows Admin Tool Kit Click here and download it now
July 28th, 2015 6:18pm

This is the only thing you can do:

$credential=Get-Credential #prompt remote domain ADMIN for credential

New-PSDrive -Name H -PSProvider FileSystem -Root \\<Server Name>.<Second Domain>.com\C$ -Credential $Credential -Persist
New-PSDrive -Name I -PSProvider FileSystem -Root \\<Server Name>.<Second Domain>.com\C$ -Credential $Credential -Persist
New-PSDrive -Name J -PSProvider FileSystem -Root \\<Server Name>.<Second Domain>.com\E$ -Credential $Credential -Persist
New-PSDrive -Name J -PSProvider FileSystem -Root \\<Server Name>.<Second Domain>.com\E$ -Credential $Credential -Persist
New-PSDrive -Name K -PSProvider FileSystem -Root \\<Server Name>.<Second Domain>.com\F$ -Credential $Credential -Persist

You must be an admin on the remote machine and there must be a functional trust.

Be sure no failed maps have been persisted or they wi continue to lock you out.

If the clocks do not match you may also get locked out.  Be sure clocks between local and remote DCs match.

July 28th, 2015 6:25pm

The LDAP portion, and associated code, listed below separately, was inserted to test the credentials.  I added it to avoid locking my account due to entering the incorrect password because some of these script map 10-15 drives.  That is a quick way to lock the account.  This code has saved my bacon a few times, but now I am seeing this odd lockout behavior, despite entering the correct credentials.

$UserName = $Credential.UserName
$Password = $Credential.GetNetworkCredential().password
$CurrentDomain = "LDAP://DC=<Second Domain>,DC=com"
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,$UserName,$Password)

if ($domain.name -eq $null)
{
write-output "Authentication failed - please verify your username and password."
exit #terminate the script.
}
else
{
write-output "Successfully authenticated with domain " $domain.name
}

Free Windows Admin Tool Kit Click here and download it now
July 29th, 2015 11:07am
You don't need to prompt for credentials if you open your PowerShell window with the alternate credentials.
July 29th, 2015 11:17am
You don't need to prompt for credentials if you open your PowerShell window with the alternate credentials in the first p
Free Windows Admin Tool Kit Click here and download it now
July 29th, 2015 3:14pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics