Blame | Last modification | View Log | Download
param([string]$authfile)# testing the script with a dummy creds.txt#exit 0#$authfile = "C:\Users\Public\Temp\creds.txt"#read openvpn authentication$creds = gc $authfile$username = $creds[0]$password = $creds[1]$FQDN = "rld.lan"$logfile = "C:\Users\Public\Temp\adauth.log"$logfilemax = 1000$group = "OpenVPN Users"$group = "Domain Admins"#authenticate the username/password to domainfunction AD-Auth([String]$uid, [String]$pwd){Add-Type -AssemblyName System.DirectoryServices.AccountManagement$au = New-Object System.DirectoryServices.AccountManagement.PrincipalContext('domain', $FQDN)$au.ValidateCredentials($uid, $pwd)}#write script output to logfilefunction Write-Log ([string]$message, [int]$typeofmsg){#in production env don't create a log file.#return$datelog = Get-Date -Format 'MM/dd/yyyy hh:mm:ss tt'switch ($typeofmsg){00 { $errlvl = "info " }01 { $errlvl = "ERROR" }}$temp = "[$datelog] [$errlvl] [$username] $message"$contents = Get-Content $logfile$counter = 0foreach ($line in $contents){if ($counter -lt $logfilemax-2){$parsed += $line + "`r`n"}$counter++}[system.io.file]::WriteAllText($logfile, $temp + "`r`n" + $parsed)}#check users uid/pwdif (Ad-Auth $username $password){#check if they are a member of the VPN AD group$members = Get-ADGroupMember -Identity $group -Recursive | Select -ExpandProperty SAMAccountNameif ($members -contains $username){#authenticate user and return 0 (success)Write-Log "Authentication successful" 0exit 0}else{Write-Log "User cannot login because they are not a member of the [$group] AD group" 1}}#auth failed check if account is lockedif ((Get-Aduser $username -Properties LockedOut).LockedOut){Write-Log "User cannot login because AD account is locked" 1}#auth failed check if account is enabledif(-Not(Get-Aduser $username -Properties LockedOut).Enabled){Write-Log "User cannot login because AD account is disabled" 1}Write-log "Authentication failed" 1#default output return 1 (fail) to ovpnexit 1