Setup delegation without DC

July 8, 2010 at 17:48:16
Specs: Microsoft Windows XP Professional, 2.127 GHz / 1015 MB
This isn't really a programming question, but I couldn't find a category that fit. Is it possible to enable delegation without a Domain Controller, or basically in a network of Workgroup computers?


Using the picture in the link, I'd like to use Computer A to execute a batch file on Computer B, that resides on Computer C. Computer C's folder location for the batch file is in both Computer A's and Computer B's %path%, but when using:

WMIC /Node:"Computer B" /USER:"%USERNAME%" Process Call Create 'batch.bat'

I get ReturnValue=2, which means "path not found". If I fully qualify the path the the batch file using "\\Computer C\Lan Path\batch.bat", I get ReturnValue=9, which means "access denied". The link talks about using the DC to set delegation roles for computers, but who runs a DC in a home network?

Insomniac at large

See More: Setup delegation without DC

Report •

July 9, 2010 at 07:57:54
WMIC /Node:"Computer B" /USER:"%USERNAME%" Process Call Create "\\Computer C\Lan Path\batch.bat"

Then on Computer C right-click on Lan Path and select properties. Then Select the Security tab. Then add Every One to the security and give them full rights.

If you don't see the security tab then go to the Control Panel -> Folders Options -> Select the View tab -> Un-check “Use simple file sharing (Recommended)”.

Windows XP hides the advanced networking stuff so that novices don't mess their computers up.

"but who runs a DC in a home network?"

I do. Is that wrong? I like have a DNS and DHCP server and if you got Windows Server why not setup an AD and DC too?

Report •

July 9, 2010 at 10:08:20
I'm still getting a 2 and/or 9 after granting "Everyone" full access:

20:09:05> Process Call Create "\\dl380-server\LAN Path\tools\portlist.bat"
Enter the password :*****

Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
        ReturnValue = 2;

12:55:52> Process Call Create "portlist.bat"
Enter the password :*****

Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
        ReturnValue = 9;

I double checked, and the Security permissions did indeed trickle
down to the files, which shown the inherited user's permissions.

At one point, I was prevented from running AD and/or a DC due to
corporate policy from where I worked. I'm no longer constrained by
such rules, and may now indeed promote my server to being an DC...

Insomniac at large

Report •

July 9, 2010 at 10:32:01
Try putting "\\Computer C\Lan Path\" in Computer B's Start->Run and see if you even have access to the share.

You may not have given every one access to the Share. If not then go on Computer C -> Right-Click the shared Folder -> Select Properties -> Select the Share Tab -> Click the Permissions button and make sure everyone has access to the Share.

Report •

Related Solutions

July 9, 2010 at 12:02:12
Yep, everyone has full access to the share. That share (and
some of it's subdirectories) are included in Computer A and
Computer B's %path%, with no problems accessing the batch
and executable files when at the console, and without
specifying a path. "portlist.bat" has no problems running from
any of the computer's console, simply by specifying "portlist"
at a command line. I came across 3A97!7003.entry?wa=wsignin1.0&sa=334928939">this blog, so I don't think
it's unreasonable to believe that delegation is possible in a
workgroup environment... I just don't know how to translate the
PowerShell actions such as:

PS> set-item wsman:localhost\client\trustedhosts -value *

into something that doesn't require PowerShell. Is wsman
something that can be manipulated by other means?

Insomniac at large

Report •

July 9, 2010 at 12:28:54
Oh yuck, I don't think you can do that because it can only be run by some one with administrator rights. I have been looking for a solution to this my self so that I can do software role outs through scripts. I don't think you can even do this if your do have a DC with AD. Its kinda a security thing because it would give hackers the ability to disseminate Trojans through out a network. I think you can use a runas but then you have to expose your administrator password in your scripts.

How many computers do you have? You may want to just manually setup Group Policies on each computer to run your scripts. use GPEDIT.MSC then put it in the logon script or startup script of the group policy for each computer.

Here this may help.

I have never worked with remote sessions before, but I am guessing it is a permissions issue with running those commands.

Report •

July 9, 2010 at 17:12:23
Thanks Ace -
At the moment, I've just got the three machines online: laptop,
desktop, server. I do some video processing on the desktop
and server, and basically write code from the laptop, storing
the programs in the server's "Lan Path" share. My end goal
was to be able to kick off a batch file (that resides on the
server) that does something to a video file that is local to the
desktop, from the laptop. Running the batch file from
the laptop causes WAY too much network traffic.

It's a petty thing, but I don't like to use Remote Desktop with
the desktop computer, because of different screen
resolutions. When I open a RD session with the desktop, all
my desktop icons get moved around. Like I said: petty.

I'll have a look at that link to see if it will work for me!

Thanks again!

Insomniac at large

Report •

Ask Question