As a part of my work I sometimes connect to a network with an AD environment/Domain, and receive domain user credentials. However, my machine is not a part of the domain. So when I try to query the domain (inside a runas /netonly) window, I get this:
C:\Windows\system32>net accounts /do
The request will be processed at a domain controller for domain WORKGROUP.
System error 1355 has occurred.
The specified domain either does not exist or could not be contacted.
However, if I run the same command from a computer inside that domain I get:
C:\Windows\system32>net accounts /do
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: domain.local
The command completed successfully.
Again, this is inside a runas /netonly window titled "cmd/exe (running as domain.loca\username)".
The same happens for all similar commands such as "net user username /domain"
Is there any way to query these "net" commands from a computer outside the domain (whilst having a domain user of course)?
As additional note, some external tools (like the Windows Resource Kit or even PingCastle) work perfectly with runas / netonly.
Best Answer
According to the Microsoft support article Net Commands On Windows Operating Systems, the NET command's
/domain
switch performs the requested operation on a domain controller of the current domain.For a machine not joined to a Active Directory domain, the "current domain" is the computer's workgroup. But workgroups don't have domain controllers which is why your NET command is failing:
(emphasis mine)
There's no way around this. The
/domain
switch is hard coded to read the local machine's domain membership to determine where to look for a domain controller. It has nothing to do with the credentials you use when executing the command, so running it with a domain user's credentials won't make a difference.Your best option is to execute these commands from a machine that is a member of the domain you wish to query.