Use runas with a domain account on a non-domain machine in Windows 2k/XP/Vista/7

My Windows 7 computer is on LAN in an intranet with a Windows domain, but it is not a member of that domain. However, I need to run some applications under domain accounts while I'm logged on locally as a local admin.

I know you can use the runas utility to start processes under accounts different from the one under which you have logged on. The thing is that Windows needs to know or authenticate the account under which a process is starting.

When I do something like:

runas /user:DOMAIN\USERNAME cmd.exe

(and put in a correct password afterwards) I get this kind of error:

RUNAS ERROR: Unable to run - cmd.exe
1326: Logon failure: unknown user name or bad password.

Does anybody know how to cope with this?

Pavel

Posted 2010-08-03T13:26:31.520

Reputation: 191

Answers

The runas command has an extra option /netonly that allows running local apps as a domain user, on a non-domain machine. It worked for me when I ran on Windows 7 Professional - but it does require an elevated Command Prompt.

runas /netonly /user:domain\user command

More details at the below site:

http://codebetter.com/jameskovacs/2009/10/12/tip-how-to-run-programs-as-a-domain-user-from-a-non-domain-computer/

Mike

Posted 2010-08-03T13:26:31.520

Reputation: 459

This worked for me, although I didn't think it was going to, as it still had the logged-in user name in the connection window greyed out. But after connecting I run the query "select SYSTEM_USER" and it was correct. – JumpingJezza – 2018-06-11T03:33:19.013

3The addition of /netonly worked for me where my machine is on a domain, but a different domain from that of the user I needed to impersonate. – None – 2013-11-20T17:14:53.013

Unless I'm misunderstanding your question, you're trying to use domain credentials to log onto a machine that is not a member of that domain. This can't be done. Domain accounts only log onto domain computers. Local accounts only log onto the local machine (with exceptions).

Kara Marfia

Posted 2010-08-03T13:26:31.520

Reputation: 2 000

Ok, thanks for your comprehensive and clear answer. However, this sounds strange to me: My machine is not on the domain. However: If I want to use the domain's resources, such as shared folders/printers I simple issue net use \server\resource /user:domain\domainuser and provide my domain password and I can get to them. Why can I not use runas likewise? – Pavel – 2010-08-03T15:32:28.333

When you join a machine to the domain, it's creating a higher level of trust between machine & domain vs. shared resources. Allowing a user to connect to a printer or file share is a lot safer (from an admin perspective) than joining an unknown machine to the domain. The short answer is that it's all for security. Hope that helps. – Kara Marfia – 2010-08-03T23:09:26.367

1Put another way, For the shared remote items, the non-domain computer isn't trusting the domain. It is just passing the credentials through to gain access to remote resources. Permitting a user to run programs is an entirely different thing, particularly when (since it doesn't know anything about / trust the domain) the non-domain computer doesn't even know for sure the user exists, let alone that it should be allowed to run programs. – Slartibartfast – 2010-08-04T02:34:26.210

1Kara - I think you misunderstood the question. He's asking how to log on to a computer that is part of a domain with credentials for that domain, but from a computer that is not joined to the domain. Runas is the answer he's looking for. – MegaMatt – 2012-09-10T18:07:36.720

-1

I always use Runas in my AD envrionment as this:

runas /env /profile /user:domain\useraccnt cmd

Give it a try, it always work for me!

r0ca

Posted 2010-08-03T13:26:31.520

Reputation: 5 474

Thanks, r0ca. The thing is that my computer is not on the domain I use in the command "runas". It is no domain at all, actually.

I used another advice from here: http://serverfault.com/questions/88208/mimic-the-behavior-of-a-machine-added-to-a-domain

ksetup /setrealm YOURDOMAIN.TLD ksetup /addkdc YOURDOMAIN.TLD yourkdc.yourdomain.tld ksetup /setmachpassword the-password-from-above ksetup /mapuser yourdomainaccount@YOURDOMAIN.TLD yourlocalaccount

Now, I get this: 1787: The security database on the server does not have a computer account for this workstation trust relationship.

– Pavel – 2010-08-03T15:38:40.440

You won't be able to perform this operation as long as the computer is not listed in the domain. You should RDP on a PC then ;) – r0ca – 2010-08-03T16:03:45.857

But +1 for the line above, interresting! – r0ca – 2010-08-03T16:04:01.457