How do I add a domain user to a group on a non-domain server?

Question

If we are running a server that is not attached to the domain, how would I go about adding a domain user to a local group on that server?

score 13 · Accepted Answer · answered May 25 '10 at 19:39

13

You don't. There has to be a trust between the computer and the domain (aka joining the computer to the domain) to be able to authenticate domain users locally.

Now for something practical:

You have two options 1) create a local user with the same username and password as the domain user, and add that local user to the local group. 2) Join the machine to the domain.

answered May 25 '10 at 19:39

Zypher

37,405
5
53
95

So simply adding a local user with the same name and password is sufficient to create trust (in this instance)? – Michael Todd May 25 '10 at 19:44
1

It's not so much creating a trust as having your username and ntlm hash match ... it's more of a hacky work around than anything really. – Zypher May 25 '10 at 19:47
1

Correct. The domain user tries to connect, Kerberos won't be tried, so unless you have GPOs that prevent clients from trying to authenticate via down-level protocols, the machine will try NTLM. If they match, then you're in without having to type anything. – mfinni May 25 '10 at 19:51

How do I add a domain user to a group on a non-domain server?

1 Answers1

Linked