Validate domain username and password from workgroup computer / Running Dsa.Msc (Active Directory Users and Computers snap-in) From A Computer Not Joined Into Domain

Remotely administer a domain from a workgroup PC



http://forums.asp.net/p/1436962/3244988.aspx

All you need is here:
Declare Function LogonUser Lib "ADVAPI32.dll" Alias "LogonUserA" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As LogonType, ByVal dwLogonProvider As LogonProvider, ByRef phToken As IntPtr) As Int32

Declare Function GetLastError Lib "kernel32.dll" () As Int32
_

Private Shared Function GetWindowsIdentity(ByVal UserName As String, ByVal Domain As String, ByVal Password As String) As WindowsIdentity
Dim SecurityToken As IntPtr

Dim Success As Boolean = CBool(LogonUser(UserName, Domain, Password, LogonType.LOGON32_LOGON_NETWORK_CLEARTEXT, LogonProvider.LOGON32_PROVIDER_DEFAULT, SecurityToken))

If Not Success Then
Throw New System.Exception("Logon Failed. Error: " & GetLastError())

End If
Return New WindowsIdentity(SecurityToken)

End Function

Public Enum LogonType As Integer

LOGON32_LOGON_INTERACTIVE = 2

LOGON32_LOGON_NETWORK = 3

LOGON32_LOGON_BATCH = 4

LOGON32_LOGON_SERVICE = 5

LOGON32_LOGON_UNLOCK = 7

LOGON32_LOGON_NETWORK_CLEARTEXT = 8

LOGON32_LOGON_NEW_CREDENTIALS = 9

End Enum

Public Enum LogonProvider As Integer

LOGON32_PROVIDER_DEFAULT = 0

End Enum



To test:

Dim o As Security.Principal.WindowsIdentity = GetWindowsIdentity("user", "domain", "pass")

http://us.generation-nt.com/answer/viewing-event-logs-remote-domain-help-68650162.html

Create a shortcut like this:

runas /netonly /user:domain\userid "mmc dsa.msc"


http://www.markwilson.co.uk/blog/2008/03/the-windows-runas-command-and-the-netonly-switch.htm
Then I found out about an obscure switch for the runas command – /netonly, used to indicate that the supplied credentials are for remote access only. By changing my command to:

runas /netonly /user:remotecomputername\username mmc

I was able to authenticate against the remote computer without needing the credentials to also be valid on the local computer, as described by Craig Andera


http://www.pluralsight-training.net/community/blogs/craig/archive/2003/06/04/785.aspx

Today I ran across an entirely new option: the /netonly switch. Using it means that the credentials you supply don’t have to be valid on the machine you’re running it on, but will still be passed on when remote calls are made! So cool. Why? Because I’m doing work with Microsoft, and I need to do things against their servers that require authentication. I don’t want to join my machine to their domain, which means I can’t get a process running under my Microsoft domain account. However, using this switch, I can make a process look to remote systems as if it were running under my Microsoft domain account. This turned out to be crucially important for getting our build process working on my machine.

The one caveat is that since it doesn’t do an actual login, it’ll take whatever password you throw at it. Even if it’s wrong – you won’t find out until you try to actually use those credentials.



Running Dsa.Msc From A Computer Not Joined Into Domain

I'm trying to figure out if this is possible:

I have a laptop that I take to numerous clients, and I
really don't like to join it to the domain because it's a
pain to do that constantly and deal with user accounts,
etc.

But, I would still like to use dsa.msc (AD Users and
Computers) and related tools to manage domains from my
laptop. Is there a way to do this?

I have tried all combinations of runas.
Additionally, "Connect To Another Computer/Domain:" (i.e.
from compmgmt.msc or something) only works on non-DC's
near as I can tell, so in this configuration it's useless
for dsa.msc. It just says, "Access is Denied" without
possibility of prompting for credentials.

I think it all boils down to the domain not trusting my
computer and vice versa. This is why I think this may
not be possible. But, I'm hoping some of you can think
of a way around this problem.

Thanks in advance,

Matt


You need to be joined to a domain. If the laptop has enough
horsepower, load Virtual PC and create a XP imeage which you just join
to client domains.

No you don't. Assuming you've installed the adminpak.msi on the XP
machine, you can:

runas /netonly /user:somedomain\someuserid "mmc dsa.msc"

Wayne


Try this (one line, will wrap):

runas /netonly /user:domain\userid "mmc dsa.msc
/server=dc.in.other.domain"

That should launch the dsa.msc pointing to 'dc.in.other.domain' using the
supplied credentials.

HTH,

Wayne Tilton




Create on the local computer an account with credentials matching an account
with desired privileges in the target domain (username and password need to
match). Switch to its security context either by using RUNAS or interactive
logon. Launch DSA.MSC and point it to the target domain controller (or
domain - assuming its zones are accessible via the DNS server your computer
is configured for).

hth
Marcin
 
Managing Active Directory from MMC

http://technet.microsoft.com/en-us/library/cc757197(WS.10).aspx

Starting Active Directory MMC consoles from the command-line


Active Directory MMC consoles, including Active Directory Users and Computers (dsa.msc), Active Directory Domains and Trusts (domain.msc) and Active Directory Sites and Services (dssite.msc), provide command-line options that allow you to start a console focused on a particular domain or domain controller. The command-line options support both fully qualified domain names and NetBIOS names.

The command-line options are:
/domain= FullyQualifiedDomainName

/domain= NetBIOSDomainName

/server= FullyQualifiedDomainControllerName

/server= NetBIOSDomainControllerName


You can use these command-line options to run the Active Directory MMC consoles directly from the command line, or you can create a shortcut to start a console and add the appropriate command-line options to the shortcut. You can also use the command-line options with any custom consoles that you create. For more information about creating and saving console files, see Windows interface administrative tool reference A-Z: Microsoft Management Console.

Command-line examples:
To start Active Directory Users and Computers focused on domain1, type:

dsa.msc /domain=domain1

To start Active Directory Users and Computers focused on server1, type:

dsa.msc /server=server1.domain1

To start Active Directory Sites and Services focused on server1, type:

dssite.msc /server=server1.domain1

To start Active Directory Domains and Trusts focused on server1, type:

domain.msc /server=server1.domain1


Notes
Do not use both a /domain and /server command-line option at the same time.

The /domain options can only be used with Active Directory Users and Computers.