Using non-domain local account to connect to a domain

We have domain.local in our datacenter.  The DC is Server 2008.  We have a Windows 2003 Server, Backup1.domain.local, that is used for network storage.  We have created a domain account called "backupuser" for automation purposes.  When we set a scheduled task to backup one of the servers in our domain, we set the task to run as domain\backupuser.  When we set a scheduled task to backup a client's server, which is not in our domain, we create a local user on that server with the same name and password, and set the task to run as that local user.  The scheduled tasks access the network storage server through UNC (i.e., \\backup1\d$\backup_directory).  This has been working fine.

We recently added another network storage server, backup2.  It is using Windows 2008 Server.  This same system is working fine for any machine in our domain, but the local user strategy is now returning 0xc0000064 (user does not exist) during authentication.  We cannot use a domain account to run the task since the local system is not aware of the domain and provides no local access for its accounts.  How can we have a local user account still be able to access the network shares via UNC?
LVL 52
Steve BinkAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

IroshaCommented:
Run the task with Local Privveleges but do a NET USE to the remote location using the domain credentials...
For example write a batch file that will run before the task, on backup2, without actually mapping a drive... just identifying to the domain... it works even if the machine is not attached/aware of the domain...

NET USE \\backup1 /USER:DOMAIN\username password

this will just introduce itself to the server and supply the correct domain credentials. so when you will try to go to a share on it later on it will grant you access.
0
Steve BinkAuthor Commented:
We can't do that because of the security concerns involved with saving a password in a batch file.  It does work, though.  I tested with NET USE to figure out why I was getting access denied when I first discovered the issue.

In case it matters, the backup task is running a third-party app (snapshot) which accesses the network storage by UNC.  The path/filenames it uses are passed on the command line.
0
FarWestCommented:
I think it is better to have a domain for backup servers and joint those servers to it, and create trust relationship with production domain,
this way authonticated users by backup servers domains are trusted in the production domain
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Steve BinkAuthor Commented:
>>> I think it is better to have a domain for backup servers

I will raise this possibility.  That would resolve a couple of issues we are seeking to address, including this authentication problem.
0
Steve BinkAuthor Commented:
Using a domain for the backup servers was rejected by management.  In the end, we decided to go with individual local accounts on both the network storage server and the client servers not joined to the domain.  This presents us with a few additional management issues, but it does get the job done.  Servers that are joined to the domain can continue to use the domain account as usual.

0
Steve BinkAuthor Commented:
Also, it seems the issue was a combination of two different problems.

1) NTLM passthrough, which is disabled by default in Windows 2008.  It was enabled by default in prior systems.  http://www.appassure.com/support/KB/4130091/
2) Administrator/UAC.  See http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26951831.html for more information.

We decided not to allow NTLM passthrough (it was a loophole to begin with, and is rightly disabled), and bypassed the UAC restrictions by maintaining a local group for this purpose.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve BinkAuthor Commented:
The one suggestion offered worked, but was not acceptable for the task at hand.  It only served to verify the problem.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.