Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Andrzejek on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Preauthenticate before using GPMGMT

Status
Not open for further replies.

djhawthorn

Technical User
Mar 4, 2002
641
AU
Is there a way to preauthenticate to a remote/foreign domain before using a tool such as the GPMC Managament API (GPMGMT) to connect to that remote domain?

I get 'Access Denied' when I try to bolt up to the remote DC if I dont have the same username and password in both domains.

[ponder][laughtears] The dumber they think you are, the more surprised they'll be when you kill them! [machinegun][rofl2]
 


create a shortcut on the desktop to gpmc
right click the shortcut and do a run as...
put your other domains creds in as domain\user and your password....

the trick...everyone group must have the user rights for allow access from the network, and allow logon locally, at a minimum

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+

 
Sorry, I meant from within VBScript..

I'm using the GPMGMT API to remotely backup GPO's and import them locally. I need to specify a remote domain username and password to be able to connect though.

[ponder][laughtears] The dumber they think you are, the more surprised they'll be when you kill them! [machinegun][rofl2]
 
one idea that would be easiest, would be to set up a scheduled task using the creds you need for that vbscript...simplest idea without code additions...

ill have to check to see if i have any code snips for kicking off as another domain's account...

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+

 
This script will be executed by multiple people several times a day, via a HTA GUI (where they enter their username and password and other details). These people will not have access to add scheduled tasks, and ideally, this needs to be self-contained inside the HTA.

I have the script using the input username and password for an ADO LDAP query already - and this works successfully to enumerate the Group Policy Objects in the domain. The problem is the username/password is only for that ADO query and not used for the GPMGMT GetDomain() method (which doesn't take a username or password as parameters).

[ponder][laughtears] The dumber they think you are, the more surprised they'll be when you kill them! [machinegun][rofl2]
 
i think it will boil back to the fact that the HTA app is starting as the currently authenticated user. I don't think HTA gives a run as... selection...

I'll see if I can find any tricks that will allow differing credentials to be used, or creds to be carried over...no promises it will be the same method you're using if I can find anything, but will look for that specifically :)

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+

 
The problem is though, I need to run the HTA against both domains. Basically I access information and resources from one domain and pass it to the other. So runas etc. won't have any effect, as I will only be authenticating against one domain. Besides, runas requires trusts in place.

As best as I can tell, there is no way to do it. I've tried mapping a drive to the remote domain using remote credentials (which works), but GPMGMT doesn't then use those when accessing the remote domain. Given the API wont take alternative credentials, I dont think its possible.

The only way to do it will be to setup a trust in at least one direction, and ensure the authenticated user has sufficient rights in the foreign domain. I'm even having troubles with this at the moment!

If you have any other suggestions, I'm open to them, but as
I say it needs to be a scripted method; runas', scheduled tasks etc wont work (and defeat the purpose of what I want to achieve).

Cheers.

[ponder][laughtears] The dumber they think you are, the more surprised they'll be when you kill them! [machinegun][rofl2]
 
The trust thing is easy to work out...

Alter lmhosts entries to include the PDCe for each domain
Configure DNS forwarding
Ensure all ports required for domains are opened between the domains (see kb 179442)
Establish trust
Disable SID filtering on trust

I think you are correct though, I don't think we can get multiple creds going at all within the same thread to achieve your goals...

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+

 
The trust is established in my test environment, the correct permissions are set (local user is delegated GPO Create permissions, for example), but still get an access denied. I havent had time to troubleshoot it further.

The trust in the production environment though is not so easy - technically easy, yes, but getting design change approval - no! :)



[ponder][laughtears] The dumber they think you are, the more surprised they'll be when you kill them! [machinegun][rofl2]
 
i feel your pain buddy..badly trust me :)

The best way to go about the delegations, if you havent done so already, is to nest users from the trusted domain into a group, then delegate permissions to that group.
You will definitely need read, write, createGroupPolicyContainer, etc....if on 2k3 though, there should be a permission that allows the delegation of RSOP data gathering...if I understand your goals, thats the main one you want. Its best to do this manually rather than through the delegation of control wizard typically.

Last note on that...ensure that your permissions are applying to all objects in this container and underneath (or similar wording) in the advanced security permissions.. your access denied may be due to the perms setting "on this object only"....its the most common problem when delegating permissions.

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+

 
The delegations certainly are on a group (not on an individual object), and were delegated out using the GPMC's "Delegation" tab on the "Group Policy Objects" container (I cant stand the wizards) - I've successfully delegated that permission out to a group of users in the local domain, so it "should" work.

It dies on the CreateGPO() function too, which all it does at that stage is create a groupPolicyContainer object - so something is wrong.

When I finish todays exam, I'll run up the test lab again and put in some effort to retest the delegation further though.. I basically got the Access denied error and it was time to go home :)

[ponder][laughtears] The dumber they think you are, the more surprised they'll be when you kill them! [machinegun][rofl2]
 
ah ok i use the aduc console directly rather than the gpmc (in fact, i dont/wont use gpmc due to bugs in it)

-Brandon Wilson
MCSE00/03, MCSA:Messaging00, MCSA03, A+

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top