Manage another user's credentials for network access

I have a Windows account that is used for running services (ie. it's not intended that any person should log in as that account). Turns out one of the services needs to access a remote network share that's on a machine in a different Windows domain, and so needs to supply remote credentials to get to that share.

Now if it was me needing to access the remote share, I would simply open Credential Manager, and save the required credentials. But it's not me, and my understanding of credential manager is it only saves credentials to be used by the logged in user.

I can of course solve this problem. I temporarily elevate the privileges of the service account to allow interactive logins, then I login as that user and use credential manager to store the correct remote credentials. Then I remove the interactive login privileges. But that feels very hacky and not the kind of thing I ought to be doing.

So my question is: Is there another way to save remote credentials for an account other than the one you're logged in as? Any better way to solve my problem.

PhantomDrummer

Posted 2013-01-17T13:49:32.167

Reputation: 719

Turns out Credentials Manager is irrelevant anyway, as it's entirely up to the app whether it uses it or not - and in my case it seems the service I'm running doesn't. Lee's answer that I've accepted is great because it sidesteps credentials manager altogether. – PhantomDrummer – 2013-01-18T16:12:16.800

Answers

If you can access the remote computer, you could add your service account to the local Users group and match the username/password to what you would use. Don't forget to give it administrative privileges.

Then goto the remote login tab in the system menu, and add that user as someone who is allowed to remotely login. This is what I do when I need to hit certain machines that are on our network, but not part of the domain for whatever reason.

Lee Harrison

Posted 2013-01-17T13:49:32.167

Reputation: 2 046

That's exactly what I wanted. I hadn't realised that if you had the same login and password, Windows would accept the credentials even if the login was coming from a different machine (and so had a different SID). Thanks Lee! – PhantomDrummer – 2013-01-18T16:10:32.883

Although it turned out to be irrelevant to your situation, for the benefit of future searchers, the answer to the actual question "Manage another user's credentials for network access" is:

runas /user:serviceaccountname "%windir%\system32\cmdkey.exe /add:server.domain.com /user:username /pass:password"

This will create a credential in serviceaccountname's credential vault for server.domain.com using username/password.

/user also supports domain\username and username@domain styles.

agentnega

Posted 2013-01-17T13:49:32.167

Reputation: 613