Windows – Running “net” commands with /domain flag outside of the domain

active-directorycmd.execommand linerunaswindows

As a part of my work I sometimes connect to a network with an AD environment/Domain, and receive domain user credentials. However, my machine is not a part of the domain. So when I try to query the domain (inside a runas /netonly) window, I get this:

C:\Windows\system32>net accounts /do
The request will be processed at a domain controller for domain WORKGROUP.

System error 1355 has occurred.

The specified domain either does not exist or could not be contacted.

However, if I run the same command from a computer inside that domain I get:

C:\Windows\system32>net accounts /do
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        domain.local
The command completed successfully.

Again, this is inside a runas /netonly window titled "cmd/exe (running as domain.loca\username)".
The same happens for all similar commands such as "net user username /domain"

Is there any way to query these "net" commands from a computer outside the domain (whilst having a domain user of course)?

As additional note, some external tools (like the Windows Resource Kit or even PingCastle) work perfectly with runas / netonly.

Best Answer

According to the Microsoft support article Net Commands On Windows Operating Systems, the NET command's /domain switch performs the requested operation on a domain controller of the current domain.

For a machine not joined to a Active Directory domain, the "current domain" is the computer's workgroup. But workgroups don't have domain controllers which is why your NET command is failing:

The request will be processed at a domain controller for domain WORKGROUP.

System error 1355 has occurred.

The specified domain either does not exist or could not be contacted.

(emphasis mine)

There's no way around this. The /domain switch is hard coded to read the local machine's domain membership to determine where to look for a domain controller. It has nothing to do with the credentials you use when executing the command, so running it with a domain user's credentials won't make a difference.

Your best option is to execute these commands from a machine that is a member of the domain you wish to query.