Use RunAs from non-domain computer?

First I would like to make big announcement – after almost 3 years I left DHL and joined company called Login Consultants… So after long time I am consultant (again) and you can expect more posts about different problems I encountered during my consultancy career…

And I already encountered one during my first day – working with domain-based environment from non-domain computer. As mentioned before, I really love Vista (it took me however some time to get used to it) so I immediately installed it on my new laptop (that is no longer under corporate policies and rules). And then I realized that customer have (well, of course) domain and my non-domain laptop won’t be able to do much (except accessing remote shares and running RDP\ICA sessions).

So I started to investigate and came with solution. I found MSDN article http://msdn.microsoft.com/en-us/library/ms682434(VS.85).aspx and one specific part of the article grabbed my attention:

 

LOGON_NETCREDENTIALS_ONLY
0x00000002

 

Log on, but use the specified credentials on the network only. The new process uses the same token as the caller, but the system creates a new logon session within LSA, and the process uses the specified credentials as the default credentials.

This value can be used to create a process that uses a different set of credentials locally than it does remotely. This is useful in inter-domain scenarios where there is no trust relationship.

The system does not validate the specified credentials. Therefore, the process can start, but it may not have access to network resources.

Sounds very interesting – so I started to play with this API and it turned out (to make it very simple) that it acts as token that contains multiple credentials (Logon SIDs):

image

Notice the Logon SID – there are 2 values

This way you can specify MULTIPLE accounts you want to use. In example below I have 3 different credentials:

image

Cmd with 3 Logon SIDs

Just be aware, based on my testing each credential should be from different domain, otherwise only FIRST match is used.

I tested this solution today – and it works like charm :) For accessing local PC, I am using my account (MartinNB\Martin), for accessing any domain resources, I am using Domain\Operator account automatically. I tried this with accessing remote shares, MMC console (AD Users and Computers) and also PsExec with implicit authentication (that means no username\password defined).

When I knew what I was looking for, it turned out that my whole research was partially waste of time – this functionality is already included in RunAs itself through /NetOnly parameter :)

 

To show you example how to use it:

We have company XYZ. They provided account SuperAdmin for me with password SuperPassword.

I will first run command RunAs /NetOnly /User:XYZ\SuperAdmin cmd and specify password SuperPassword when prompt appear. New cmd window will automatically appear.

Now I can simply kill explorer (taskkill /f /im explorer.exe) and run it again (explorer.exe) – my desktop will switch, so from now on I can normally work with XYZ domain AND my non-domain laptop :D

 

I am just thinking about writing some small utility that would allow you to easily switch between different customers profiles (codename Desperate Consultant)… I wrote to Joe from Joeware if he is willing to add this (NetOnly functionality) to his cool utility CPAU – if he agrees, I will wait for him and build it, otherwise I will create some wrapper around RunAs.

Idea is that you will predefine any credentials and that easily merge that credentials into your session.

2 thoughts on “Use RunAs from non-domain computer?”

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>