Using powershell to remotely connect to a machine thats NOT in the domain yet

Hi, I was wondering if there is anyway to remote into a machine that's on the same network 192.168.0.0/24 and from there get it to join my domain, all the examples ive seen in powershell seem to indicate being on that machine locally and then joing it to the domain with the UI or powershell. From there you can use Enter-PSSession etc... to connect and administer the machine, but nothing that seems to indicate remotely connecting using powershell into a machine that's not a part of the domain yet.

Thanks for the help

Find more posts tagged with

Comments

TheFORCE

run mstsc to remote to the pc, enter the ip address or hostname.

Robbo777

Thanks for the reply but it isn't working, although the computer is on the same network it is in a WORKGROUP and I don't know the correct way to connect to it because it isn't connected to a domain.
The server computer is already in a domain and comes up every time with that domain\administrator. Quick query, the username of the W8 machine I want to remote into is User01 and I know the password and IP address, they can both ping. Should I be typing User01 as the username and then the password with the domain blank or Administrator in the username box? This is just one little primitive thing that I have never actually known 100% correctly before.

Update*This is beyond confusing I'm sorry! So I have just logged into my MARVEL domain on hyper-v from my STARWARS administrator account credentials (both domain controllers have the same password just for simplicity for me but that shouldn't matter!). How is an account from that domain (STARWARS) able to type in STARWARS\Administrator in the STARWARS domain on that domain controller and remotely log in to the MARVEL domain as the administrator, meanwhile I try the exact same thing to log into the WORKSTATION machine and it doesn't work! Am sorry but that just doesn't make sense and is beyond frustrating.

*Update* I can log on from the MARVEL domain even with one of the users "Yoda" and the password for him, even if I put MARVEL\yoda it still works.......How??? Haha, this is so confusing. Doesn't it matter if you're on a different domain then? As long as you have the credentials?

MariusRZR

Have you set up any trust between the domains?

Create a new account under StarWars and try to log in first time using Marvel\NewAccount , see if it still works.

Robbo777

No, there is no trust at all. That was what I was going to do next. How can this be? I was under the impression that one PC couldn't remote desktop into another one if it was in a different domain because that user wouldn't be registered in that domain. Am I on the right tracks with this logic or am I totally wrong! I would love an answer because this is one of the most confusing this ive encountered.

ALSO, ironically the only desktop I can remotely sign into is the WORKGROUP one with the username being User01 and the address 192.168.0.23. The machines are seeing it but when it asks me for credentials I don't know what to type in, do I type in Administrator or User01 along with that PC's password? I have tried both and cant remote into it! Remote desktop never works straight forward for me!

Pseudonym

Try pc-01\administrator(or whatever the pc is called and your username) and the password to logon to a local account. RDP will need to be enabled and you'll need a firewall exception.

BornToBeMild

If you are logging in to a Workgroup PC, use the computer name in place of the domain. If your computer is called W8, it would be W8\Administrator, or W8\User01.

The confusion is because in reality it ignores the domain bit because it's not domain joined. You could type XYZ\User01 and it would still work. As long as the username and password are in it's local account database it will let you in.

MariusRZR

Huh,Thanks. I didn't know that either.

Robbo777

BornToBeMild wrote: »

If you are logging in to a Workgroup PC, use the computer name in place of the domain. If your computer is called W8, it would be W8\Administrator, or W8\User01.

The confusion is because in reality it ignores the domain bit because it's not domain joined. You could type XYZ\User01 and it would still work. As long as the username and password are in it's local account database it will let you in.

Yeah I just tried it again, I can remote into another domain using the username and password of that STARWARS domain user "yoda" in this case, and it let's me log in when it says MARVEL\Yoda from a domain controller in the MARVEL domain! Both different forests to!
That is so strange! Do you mean it's locally cached on the physical machine and hyper-v treats them all as one in that respect?? Where does security come into it then also?
Am I right in saying that what I've just done CAN'T be done in the real world and wouldn't work?? Really need some clarity on all of this because to be honest it's one of the most confusing things I've come across! Not to mention I still can't remote into that Workgroup machine! Haha. The username is User01 and computer name is WinClient8 so I've been typing in WinClient8\User01 along with the password and it's not working. It's the only one that doesn't work, different forest to different forest works but not a simple workgroup machine! Madness!

BornToBeMild

It's the remote desktop program that's causing the confusion. If I log into a DC in the domain TEST with user User01:

directly on the console
TEST\User01 works
XYZ\User01 fails

From remote desktop
TEST\User01 works
XYZ\User01 works - well it logs in as TEST\User01.

I agree it is confusing, but not something that generally causes a problem as you still need a username and password from the domain or server you're logging into.

If WinClient8\User01 is not a local administrator, check it's in the Remote Desktop Users group on the PC.

Robbo777

Okay, thanks for the help as well. I've gotten it to work BUT more importantly I don't know how it actually ended up working haha! Basically, it work by using the hyper-v machine DC for the MARVEL domain and I entered Admin and the password for the WORKGROUP machine, I saw this user by going into computer management on the WORKGROUP pc and seeing "Admin" and "Administrator", the User01 is the "full name" for the "Admin" account and the normal Administrator account is there to.
Even if I tried to use the Administrator account to log in it didn't work! So so strange to be honest and i'm not sure why only Admin and not User01, Administrator worked also.

I have a couple of questions for you if you might know the answers for them.

1. I still cant wrap my head around how the MARVEL\ domain controller (with the other machines credentials) machine was able to remote desktop into the WORKGROUP machine or the STARWARS domain controller? They're on different domains, how is this possible? Sorry also but I didn't quite understand what you where referring to in your last example with the "directly from console" etc.. Did you mean from a PowerShell console and also the remote desktop software? So if I tried to remote into the same machines from another domain in the PowerShell console then it wouldn't work? In your example though you're logging into that TEST domain with the "TEST\" domain specified. With me I can log into the STARWARS domain using this....MARVEL\yoda and the password "password" for example. The yoda user is on the STARWARS domain and not the MARVEL one, obviously! haha. (sorry about this its just one of those things I really want to and need to know)

2.This is more of a networking question associated with 2012 but, how exactly does this whole "joining the domain" work in regards to packets, requests? etc... Does the PC wanting to join a domain make a request to the DNS server for which the PC has been configured for and then it goes from there, even though for example in my example the machine that joined the domain was on the 192.168.0.0/24 network, same as the DC but the DC address is 192.168.0.150 so the WORKGROUP machine (before it became a domain machine) has its normal DHCP address, default gateway set to 192.168.0.1 and the DNS server set to 192.168.0.150 (same as the DC), do you know how this process works? Is it basically what I described before? (this question isn't related to the remote desktop problem, just a query)

Thanks for your help so far also

Dojiscalper

Yeah in the basic form the AD DNS server's job is to receive requests from other machines attempting to access the network and authenticate them against its AD database. I haven't dug into it further than that it works and I'm glad it does.

As far as why your remote control user authentication was giving you trouble. It has a lot to do with permissions, groups, and even local machine security policies and firewall rules. I've seen many different things cause failed authentication working with remote desktop, etc. You might find that one of your "admin" users is a "domain or enterprise" admin and has more rights than your other accounts.

BornToBeMild

"Directly on the console" just means using the screen, keyboard, mouse that belong to that computer, i.e. not remote desktop.

1) In your example, using remote desktop you can login to your STARWARS server using the account MARVEL\yoda, even though yoda doesn't exist in the MARVEL domain, correct? Instead of MARVEL\yoda, try ZZZZ\yoda or RANDOM\yoda. According to my testing, it will still work.

It's actually logging in to STARWARS\yoda and ignoring the domain bit of the username.

2) The client uses it's configured DNS to find a local domain controller for the domain. That's why it doesn't work if your client DNS points to your router. The DNS requests would go out to the internet which doesn't know about your AD domain.
It then uses the domain account to create a computer object in the domain and does some local changes linking the client with that object.

Robbo777

Thanks for the response, I've just changed my DNS server on my physical machine to point to my DNS server on my DC and not my router and I tried to go out to google or another random site that would not be in the cache on the machine and it still works? How can this be when there is no zone or record for it?

I know I probably sound like a broken record with DNS but parts of it is confusing, when I go to log in on a MARVEL domain PC and click other user to change the domain to STARWARS\yoda along with the password with gives me a message saying that "this computer has not been configured in a trust with the domain", okay so I'm assuming then that means that the actual computer is not an object on the STARWARS domain and therefore wont be accepted even if the correct credentials are configured. My problem is HOW does the attributed computer know where that domain actually is, obviously it knows where the marvel DC is because of the DNS configuration in the network settings on the PC but how does it know where and how to query the other domain since there is no trust or record in the hosts file for the STARWARS domain? on the MARVEL dns server. Does it just send out some kind of broadcast until when one replies with the correct domain information it acknowledges it?
Whats to stop someone in work environment typing anyother domain name in and just guessing the password of a user on that domain, because it even indirectly tells me if the password is right or wrong when I enter it in incorrectly on purpose it says "incorrect username or password" but if its the correct password then it comes up with the "this computer has not been configured in a trust with the domain". Where does the security come into it all??

Thanks again

BornToBeMild

For the DNS question I think what you are asking boils down to - How does a DNS server resolve queries for zones that do not exist on the local server or in the cache? Forwarders and Root Hints. Have a look at the following:

https://danielmiessler.com/study/dns/

https://en.wikipedia.org/wiki/Root_name_server

For the security question - Is remote desktop a potential security risk? Yes. Security isn't an on/off switch, it's a compromise between stopping the bad guys, and allowing your users to do their jobs with the minimum inconvenience. Any way of accessing corporate resources carries some risk. Password guessing is a fairly easy risk to mitigate.

Robbo777

But the thing is that I don't actually have any conditional forwarders or additional root hints configured, I haven't touched them and there's no record of the IP addresses or DNS website names on the server. So how is it when I go to www.google.com or whatever, that is actually works when the PC is configured to the DNS server on the DC that only has host records of a computer and the DC server.

I wasn't really referring to remote desktop in particular in that question, I was more talking about a user in the MARVEL domain being able to before they log on, click "other user" then try and sign in with an account on the STARWARS domain by typing in STARWARS\yoda with the correct password. Granted it doesn't actually work BUT it also gives an indirect confirmation that's the correct username and password though by saying "this computer has not been configured in a trust with the domain", as opposed to when I enter in the wrong password on purpose it tells me "incorrect username or password". So it's obviously getting through to that sever somehow, how again when there is no record in that DNS server for the STARWARS domain controller machine. So confusing haha!

BornToBeMild

Robbo777 wrote: »

But the thing is that I don't actually have any conditional forwarders or additional root hints configured

You should have the default root hints. You don't need anything else. The articles explain why.