AD - Default role to Reader

Product: PowerShell Universal
Version: 1.4.7


We recently purchased an Enterprise License and are setting the product up. We hooked up AD using this function:


$Result = [Security.AuthenticationResult]::new()
#if ($Credential.UserName -eq ‘Admin’)

$Result.UserName = ‘Admin’

$Result.Success = $true


Function Test-Credential {
    Param (
            Mandatory = $true,
            ValueFromPipeLine = $true,
            ValueFromPipelineByPropertyName = $true

        $Domain = $Credential.GetNetworkCredential().Domain

    Begin {
        [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement") |

        $principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext(
            [System.DirectoryServices.AccountManagement.ContextType]::Domain, $Domain

    Process {
        foreach ($item in $Credential) {
            $networkCredential = $Credential.GetNetworkCredential()
            Write-Output -InputObject $(
                    $networkCredential.UserName, $networkCredential.Password
    End {

if (Test-Credential -Credential $Credential) { 
    $Result.UserName = $Credential.UserName
    $Result.Success = $true 


Users can login successfully, however, they are given administrator role. Can I change this to default to reader role unless someone promotes the account?

You can set all the Roles to return $false except the Reader role. Then anyone logging in will automatically be assigned reader. If you want to set an individual identify a role specifically in PSU, you can set that on the Identities page.

You could also use AD group membership to control who is an admin. We have an example here:

1 Like

Thank you @adam!
I just upgraded to 1.5, however, now the snippet use above stopped working and I cannot login.
I am wondering if I did something wrong with the upgrade? I see the snippet in C:\ProgramData\UniversalAutomation\Repository.universal\Authentication.ps1

I stopped the service and ran the .msi file.

Can you check the log to see if there is anything strange happening in there? It’ll be in:


1 Like

@adam - I see some references to 'Exception calling ValidateCredentials with 2 arguments - Server cannot handle directory requests."

2020-11-19T18:33:30.5605020-05:00 0HM4CSE0ECATR:00000003 [INF] Route matched with "{action = \"SignIn\", controller = \"Authentication\"}". Executing controller action with signature "System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] SignIn(UniversalDashboard.Controllers.Credential)" on controller "UniversalDashboard.Controllers.AuthenticationController" ("Universal.Server"). (122b2fdf)
2020-11-19T18:33:31.0003173-05:00 0HM4CSE0ECATR:00000003 [ERR] 
Exception calling "ValidateCredentials" with "2" argument(s): "The server cannot handle directory requests."
at Test-Credential<Process>, <No file>: line 55
at <ScriptBlock>, <No file>: line 66 (10c02a92)

@adam - I figured it out, Installing the new update removed the account we were using for the service. Once providing the credentials to the service to run as a service account, it worked. I do have some other issues, provided with the upgrade, but I will open a new topic.