I am using Powershell and ADSI to enumerate users in local groups on remote computers. Well, to be honest, I also used Python and win32net, but result is the same, so I guess that choice of language doesn't matter here. What I do in Powershell, is
$groupname = 'Administrators'
$group = [ADSI]("WinNT://$computer/$groupname")
$group.invoke("Members") | foreach {
.......
and then follows the code which process results
where $computer is IP address or hostname of remote machine. What happens underneath is that SMB2 session to target machine is opened and different SMB2 protocol operations are performed, e.g., Tree Connect, lsa_LookupSids2, etc. Finally, result is returned and there is no issue with result itself.
I've noticed that sometimes there is a side effect. If remote computer has several network interfaces (e.g., runs virtual machine with IP address under NAT), these network interfaces and their IP addresses are listed by using FSCTL_QUERY_NETWORK_INTERFACE_INFO. After result (usernames) has been returned from the primary IP address (original target IP), source machine tries to connect to another IPs, which she got from that SMB2 query. Since these IPs are under NAT, TCP session is dropped.
What I also noticed is that such behaviour depends on source machine. Original test with such behaviour was performed on Windows 2012 server. I also tried to run same code from Windows 7 and there were no FSCTL_QUERY_NETWORK_INTERFACE_INFO queries at all. Naturally, no additional tries to contact these private IPs under NAT. Could such behaviour (listing of all possible network interfaces) be configured in any way on source machine? Some SMB2 related settings in registry or maybe something else?
