powershell cannot remote to different domain machine with local user account

0
votes

I am trying to use powershell to remote from machine1.domain1 to machine2.domain2,

a tunnel 127.0.0.1:4048 has been created for machine2.domain2:5985, 4048 is local port in machine1.domain1, 5985 is the remote powershell port in machine2.domain2.

machine2.domain2 has a local user account (created locally in machine2.domain2) with username:user1, password:pwd1

machine2.domain2 also has a domain account username:domain2\user2, password:pwd2

machine3.domain2 is another machine in the same domain and same local network as machine2.domain2.

here are the tests:

  1. using domain account, from machine1.domain1 (success)

    $credential = New-Object System.Management.Automation.PSCredential "domain2\user2", (ConvertTo-SecureString "pwd2" -AsPlainText -Force)

    New-PSSession 127.0.0.1 -Authentication Credssp -Credential $credential -port 4048

  2. using local account, from machine3.domain2 (success)

    $credential = New-Object System.Management.Automation.PSCredential "user1", (ConvertTo-SecureString "pwd1" -AsPlainText -Force)

    New-PSSession machine2.domain2 -Authentication Credssp -Credential $credential -port 5985

  3. using local account, from machine1.domain1 (failed, "Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.")

    $credential = New-Object System.Management.Automation.PSCredential "user1", (ConvertTo-SecureString "pwd1" -AsPlainText -Force)

    New-PSSession 127.0.0.1 -Authentication Credssp -Credential $credential -port 4048

that means: I can use domain account of domain2 to remote from machine1.domain1 to machine2.domain2. but I cannot use local user account of machine2.domain2 to remote from machine1.domain1.

anyone know why?

1
powershellauthentication
local accounts are only local ... why would you expect a local account on a system in Domain_1 to be recognized by anything in Domain_2?Lee_Dailey
it is the local account in machine2.domain2.com, not in machine1.domain1.comxinglong
[1] your question says you can use a DOMAIN ACCOUNT but cannot use a LOCAL ACCOUNT. the exact dom-1 versus do-2 is almost certainly not part of the problem. [2] my understanding is that WinRM requires that the account used to remote INTO a system be a member of the local admin group. that is usually the case with domain admin accounts.Lee_Dailey

1 Answers

0
votes

I missed the ".\" prefix, the username should be ".\user1".

for test2 success, it was because I use the local account (.\user3) to login machine3.domain2, so the powershell can deduce the "user1" to full username be .\user1.

for test3 failed, because i login as domain1/user, then powershell deduce the user name "user1" to domain1/user1 for remoting, which cannot be found in machine2.domain2.