I have a Windows service account. I need to grant it permission to impersonate another account within a group on another trusted domain, without delegation. So effectively, my service account says 'Oh, I'm [email protected]' now. I know it's possible because it's been set up for another domain - but before I joined, and I don't know how they did it!
I'm a developer, but the directory admin people where I am don't seem to know what to do. Any help would be greatly appreciated!
You're looking for:
"Impersonate a client after authentication" in the Local Security Policy under Local Policies -> User Rights Assignment
You can also use NTRights with "SeImpersonatePrivilege"
ntrights.exe +r SeImpersonatePrivilege -u domain\user
I'm not sure what you're trying to do exactly, but if you're simply trying to run an application (such as a command prompt) as that user, you use the
runascommand:This will open a command prompt running as that specified domain account. (Note that the machine that you are running from will need to know how to reach that domain....)
Running cmd can allow you to run anything (scripts, other apps, explorer windows) as that other credentialed account as that user - child processes are spawned under the parent's account.
(If this doesn't answer your question, please clarify what you are trying to do.)