I am trying to open a gpmc for another domain. We have 2 AD Domains A and B. There are no trusts between them. My Computer is joined to Domain A and I want to open a gpmc for domain B.
For DSA (AD Users and Computers) this seems to be possible like this:
runas.exe /netonly /user:<Domain B>\<Domain B User> "mmc dsa.msc /domain=<Domain B>"
but when I try to run this for gpmc the following error comes up:
I probably do not have access to the logs of either domain.
Best Answer
This is working as expected and is not supposed to work. The GPMC console is designed to try to get a operational token for the PDC of the domain environment wherever you are opening the same. Because PDC(primary domain controller role holder in a domain ) is supposed to have the most recent copy of the group policies (but sometimes this is not true due to delayed replication etc.) So when you try to connect to GPMC of another domain it connects and sends a Kereros request which fails to get a ticket(to be considered same as token i mentioned above.) .
If you take a network trace in both the cases you will see that there is a TGT request to get a ticket for SPN ldap/(domain A) from the domain B domain controller which is not possible because you do not have trust between the domains. This fails with "KerberosV5:KRB_ERROR - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)" . This is the moment you see the access is denied error as shown in screenshot . I hope that provides clarity on your query .
It's been a while, but with the help of a colleague we came to a solution. The GPMC has an option called trust detection (View -> Options -> General).
Once this options is disabled, the GPMC has to be closed so that this option is saved. If you then start the GPMC via
runas.exe /netonly /user:<Domain B>\<Domain B User> "mmc gpmc.msc /domain=<Domain B>"
the forest from domain B can be added and you can configure your GPOs as you normally would.