Cheers Looks like I would have to join the host workstation to the (virtual guest) domain to achieve this...might give it a try
Sent from my (new!) BlackBerry, which may make me an antiques dealer, but it's reliable as hell for email delivery :-) -----Original Message----- From: Miller Bonnie L. <[email protected]> Sender: [email protected]: Mon, 21 Apr 2014 20:29:02 To: [email protected]<[email protected]> Reply-to: [email protected] Subject: RE: [NTSysADM] GPMC from non-domain machine Ah—hadn’t thought of that. Although it doesn’t explicitly mention Kerberos, a quick search and read of the content suggests you are probably correct: “By default, you must have two-way trust between the domain you want to add and the domain of your user object. You can also add domains across a one-way trust by disabling the trust detection feature of GPMC, using the Options dialog box on the View menu.” http://technet.microsoft.com/en-us/library/cc786057(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc738892(v=ws.10).aspx Seems to indicate that at least a one-way trust is required, which you won’t have with a non-domain machine. From: [email protected] [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Monday, April 21, 2014 10:14 AM To: [email protected] Subject: RE: [NTSysADM] GPMC from non-domain machine I’m not certain that that is true. Exchange, at least, requires Kerberos auth. You can’t run the tools on a non-domain-joined machine. (You can remote PowerShell – if properly configured for CredSSP – to do the double hop.) But honestly, I don’t know for this example. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Monday, April 21, 2014 1:04 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] GPMC from non-domain machine Agreed that runas SHOULD be able to work, but the non-domain joined VM will need to have some kind of name resolution to the domain for this to work. If you don’t want to point it there via DNS, you may need to edit your hosts (or lmhosts) file to get it to work. There are firewall considerations as well for the LDAP lookup to function. -Bonnie From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Christopher Bodnar Sent: Monday, April 21, 2014 7:40 AM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] GPMC from non-domain machine You should be able to get it to work with a runAs. I mange a few remote domains this way: C:\Windows\System32\runas.exe /netonly /user:RemoteDOMAIN\Jdoe "mmc c:\windows\system32\gpmc.msc /domain=RemoteDomain.contoso.com /server=Contosodc1.RemoteDomain.contoso.com" But you should be able to join the workstation to the domain. Just log on locally, then after the VM's start up, log off and back on again. Or if they are started automatically, just give the DC time to spin up. Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:> [cid:[email protected]] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> From: James Rankin <[email protected]<mailto:[email protected]>> To: [email protected]<mailto:[email protected]> Date: 04/21/2014 10:13 AM Subject: [NTSysADM] GPMC from non-domain machine Sent by: [email protected]<mailto:[email protected]> ________________________________ I have a non-domain workstation which hosts a variety of virtual machines that are in a domain. Is there any way I could run GPMC from this workstation which isn't joined to a domain? RunAs doesn't seem to cut it... I could join the machine to the domain, but that would be a PITA as I try to capture a cached logon because obviously the DC would never be started as the workstation boots up.... Just wondering if there was a way around this or if it's just a complete "can't be done" Cheers, -- James Rankin --------------------- RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization Practice Analyst - Desktop Virtualization http://appsensebigot.blogspot.co.uk<http://appsensebigot.blogspot.co.uk/> ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
