PowerShell

[Jonathan Wegner]

We use group logins but need a way to track what user is using the group account.  In addition to this, we need users to keep their personal accounts active despite using group accounts.  One thought was to have a login script that runs from the group account.  It would prompt the user for their personal account login information, authenticate to the domain, write the user information to file and then allow the user to login.  If the user is unable to login to their personal account it would kick them out with a message that they need to verify their personal login information.

Is the above possible in powershell or is another scripting language better suited?  If it is possible, any assistance in how to do it would be much appreciated.  I’m a powershell novice, but I have a programming background.  I can think through the logic, just no idea how to implement it.

Wags

[Leos Marek]

What is a group account? I only know personal or shared accounts.

[Jonathan Wegner]

Group would be the same as a shared account.  It is not tied to one person but is tied to a specific system function that cannot be tied to one person.

[David Figueroa]

Powershell would definitely be a good choice for something like this.

Ideally, you’d want it as a login script for the shared accounts.  I would set it up as a WPF script that ran full screen in modal mode.  You could make it run synchronously (group policy/registry setting). Use the AccountManagement framework to prompt the user for their credentials and validate them against AD, and of course log them off if the fail more than x amount of times. Additionally, you could log the attempts to a text file, or an eventlog, etc.

Richard Siddaway’s blog on this is a great starting point. https://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/

If the group account is tied to the same set of users for each one, then you could even present them a list of users from that group to select from as a choice (but it’s not necessary obviously).

David F.

[Leos Marek]

Can you describe your use case?

Thinkgs like shared accounts should not be used for any administrative purposes. Why dont you simply add the needed permissions to a group of users? Then you would not have to do any tracking like this in first place.

[Jonathan Wegner]

These are not administrator accounts.  This usage is common in the military where you have someone “standing watch” and need a shared account so all have access to the same information.
I saw this particular type of usage in a previous position where we ran training exercises over the course of several days using computers to drive the training scenario.  It was not wise to force users to logout and have another user login right in the middle of a battle.

[Leos Marek]

That did not help me much to understand what are you trying to achieve. Having shared account for a training session is understandable, but I don’t get the rest 🙂

Anyway, you could create a simple script that will do a Start-Process powershell.exe -credential (get-credential) parameter and start your second script that will write the info to the file. If the start-process fails due to bad authentication, you can logoff the shared account.

Make sure to enable this GPO option otherwise your users will not get the interactive Powershell window.

[Author]

Posts