0

I am trying to use powershell to remote from machine1.domain1 to machine2.domain2,

a tunnel 127.0.0.1:4048 has been created for machine2.domain2:5985, 4048 is local port in machine1.domain1, 5985 is the remote powershell port in machine2.domain2.

machine2.domain2 has a local user account (created locally in machine2.domain2) with username:user1, password:pwd1

machine2.domain2 also has a domain account username:domain2\user2, password:pwd2

machine3.domain2 is another machine in the same domain and same local network as machine2.domain2.

here are the tests:

  1. using domain account, from machine1.domain1 (success)

    $credential = New-Object System.Management.Automation.PSCredential "domain2\user2", (ConvertTo-SecureString "pwd2" -AsPlainText -Force)

    New-PSSession 127.0.0.1 -Authentication Credssp -Credential $credential -port 4048

  2. using local account, from machine3.domain2 (success)

    $credential = New-Object System.Management.Automation.PSCredential "user1", (ConvertTo-SecureString "pwd1" -AsPlainText -Force)

    New-PSSession machine2.domain2 -Authentication Credssp -Credential $credential -port 5985

  3. using local account, from machine1.domain1 (failed, "Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.")

    $credential = New-Object System.Management.Automation.PSCredential "user1", (ConvertTo-SecureString "pwd1" -AsPlainText -Force)

    New-PSSession 127.0.0.1 -Authentication Credssp -Credential $credential -port 4048

that means: I can use domain account of domain2 to remote from machine1.domain1 to machine2.domain2. but I cannot use local user account of machine2.domain2 to remote from machine1.domain1.

anyone know why?

Improve this question
3
  • local accounts are only local ... why would you expect a local account on a system in Domain_1 to be recognized by anything in Domain_2? Commented Aug 7, 2019 at 18:13
  • it is the local account in machine2.domain2.com, not in machine1.domain1.com Commented Aug 7, 2019 at 19:25
  • [1] your question says you can use a DOMAIN ACCOUNT but cannot use a LOCAL ACCOUNT. the exact dom-1 versus do-2 is almost certainly not part of the problem. [2] my understanding is that WinRM requires that the account used to remote INTO a system be a member of the local admin group. that is usually the case with domain admin accounts. Commented Aug 7, 2019 at 20:53

1 Answer 1

Reset to default
0

I missed the ".\" prefix, the username should be ".\user1".

for test2 success, it was because I use the local account (.\user3) to login machine3.domain2, so the powershell can deduce the "user1" to full username be .\user1.

for test3 failed, because i login as domain1/user, then powershell deduce the user name "user1" to domain1/user1 for remoting, which cannot be found in machine2.domain2.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.