13

I have a Windows service account. I need to grant it permission to impersonate another account within a group on another trusted domain, without delegation. So effectively, my service account says 'Oh, I'm Barnie@otherdomain.com' now. I know it's possible because it's been set up for another domain - but before I joined, and I don't know how they did it!

I'm a developer, but the directory admin people where I am don't seem to know what to do. Any help would be greatly appreciated!

TopBanana
  • 218
  • 1
  • 2
  • 8

2 Answers2

17

You're looking for:

"Impersonate a client after authentication" in the Local Security Policy under Local Policies -> User Rights Assignment

You can also use NTRights with "SeImpersonatePrivilege"

ntrights.exe +r SeImpersonatePrivilege -u domain\user

Christopher_G_Lewis
  • 3,647
  • 21
  • 27
0

I'm not sure what you're trying to do exactly, but if you're simply trying to run an application (such as a command prompt) as that user, you use the runas command:

runas /user:domain\user cmd
runas /user:user@domain.com iexplore.exe

This will open a command prompt running as that specified domain account. (Note that the machine that you are running from will need to know how to reach that domain....)

Running cmd can allow you to run anything (scripts, other apps, explorer windows) as that other credentialed account as that user - child processes are spawned under the parent's account.

(If this doesn't answer your question, please clarify what you are trying to do.)

gWaldo
  • 11,887
  • 8
  • 41
  • 68
  • Hi gWaldo, the problem with the "runas" command is it will prompt you for the user's password you are trying to impersonate. The advantage of "impersonating" aspect is that you do not need to know the user's password. Also, I can't find the ntrights.exe file in Windows 2016 server. – Allan Registos Dec 19 '20 at 01:37