Remotely administer a domain from a workgroup PC
http://forums.asp.net/p/1436962/3244988.aspx
All you need is here:
Declare Function LogonUser Lib "ADVAPI32.dll" Alias "LogonUserA" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As LogonType, ByVal dwLogonProvider As LogonProvider, ByRef phToken As IntPtr) As Int32
Declare Function GetLastError Lib "kernel32.dll" () As Int32
_
Private Shared Function GetWindowsIdentity(ByVal UserName As String, ByVal Domain As String, ByVal Password As String) As WindowsIdentity
Dim SecurityToken As IntPtr
Dim Success As Boolean = CBool(LogonUser(UserName, Domain, Password, LogonType.LOGON32_LOGON_NETWORK_CLEARTEXT, LogonProvider.LOGON32_PROVIDER_DEFAULT, SecurityToken))
If Not Success Then
Throw New System.Exception("Logon Failed. Error: " & GetLastError())
End If
Return New WindowsIdentity(SecurityToken)
End Function
Public Enum LogonType As Integer
LOGON32_LOGON_INTERACTIVE = 2
LOGON32_LOGON_NETWORK = 3
LOGON32_LOGON_BATCH = 4
LOGON32_LOGON_SERVICE = 5
LOGON32_LOGON_UNLOCK = 7
LOGON32_LOGON_NETWORK_CLEARTEXT = 8
LOGON32_LOGON_NEW_CREDENTIALS = 9
End Enum
Public Enum LogonProvider As Integer
LOGON32_PROVIDER_DEFAULT = 0
End Enum
To test:
Dim o As Security.Principal.WindowsIdentity = GetWindowsIdentity("user", "domain", "pass")
http://us.generation-nt.com/answer/viewing-event-logs-remote-domain-help-68650162.html
Create a shortcut like this:
runas /netonly /user:domain\userid "mmc dsa.msc"
http://www.markwilson.co.uk/blog/2008/03/the-windows-runas-command-and-the-netonly-switch.htm
Then I found out about an obscure switch for the runas command – /netonly, used to indicate that the supplied credentials are for remote access only. By changing my command to:
runas /netonly /user:
remotecomputername\
username mmc
I was able to authenticate against the remote computer without needing the credentials to also be valid on the local computer, as described by Craig Andera
http://www.pluralsight-training.net/community/blogs/craig/archive/2003/06/04/785.aspx
Today I ran across an entirely new option: the /netonly switch. Using it means that the credentials you supply don’t have to be valid on the machine you’re running it on, but will still be passed on when remote calls are made! So cool. Why? Because I’m doing work with Microsoft, and I need to do things against their servers that require authentication. I don’t want to join my machine to their domain, which means I can’t get a process running under my Microsoft domain account. However, using this switch, I can make a process look to remote systems as if it were running under my Microsoft domain account. This turned out to be crucially important for getting our build process working on my machine.
The one caveat is that since it doesn’t do an actual login, it’ll take whatever password you throw at it. Even if it’s wrong – you won’t find out until you try to actually use those credentials.
Running Dsa.Msc From A Computer Not Joined Into Domain
I'm trying to figure out if this is possible:
I have a laptop that I take to numerous clients, and I
really don't like to join it to the domain because it's a
pain to do that constantly and deal with user accounts,
etc.
But, I would still like to use dsa.msc (AD Users and
Computers) and related tools to manage domains from my
laptop. Is there a way to do this?
I have tried all combinations of runas.
Additionally, "Connect To Another Computer/Domain:" (i.e.
from compmgmt.msc or something) only works on non-DC's
near as I can tell, so in this configuration it's useless
for dsa.msc. It just says, "Access is Denied" without
possibility of prompting for credentials.
I think it all boils down to the domain not trusting my
computer and vice versa. This is why I think this may
not be possible. But, I'm hoping some of you can think
of a way around this problem.
Thanks in advance,
Matt
You need to be joined to a domain. If the laptop has enough
horsepower, load Virtual PC and create a XP imeage which you just join
to client domains.
No you don't. Assuming you've installed the adminpak.msi on the XP
machine, you can:
runas /netonly /user:somedomain\someuserid "mmc dsa.msc"
Wayne
