Copy-Item to non-domain computer

Hi, I’m trying to copy some files from a domain-joined computer, to a non-domain-joined computer (no domain at all).

I want to do this with a script run from a scheduled task, so prompting for the password won’t work. To deal with this I have created a PSCredential object with the Username and Password fields populated. For the username I am using ‘servername\username’ as it is an account local to that system. The credential is created using New-Object System.Management.Automation.PSCredential -ArgumentList (“servername\username”, (System.Security.SecureString value)).

I am trying to do this as simply as possible. I looked at just using Copy-Item, as well as New-PSSession and New-PSDrive. I landed on using:

New-PSDrive -Name “DriveName” -PSProvider Filesystem -Root “\server\path” -Credential (PSCredential object)

Once that completes, I can use Copy-Item with impunity and have no issues copying files to the remote system without having to authenticate again.

All of this actually does work – however the issue I have is that before logging in using the user/pass stored in the PSCredential object, the system first tries an NTLM login using my local domain account (the one running the script). After that tries about 3x and fails, only then does it use the creds in the object.

Not necessarily the end of the world, but it does waste some time, and on top of that it also fires all kinds of alerting within our SOC team as it generates a bunch of failed logins to the off-domain computer, all from my domain account.

Is there a way to avoid that initial NTLM auth attempt with the domain account, and just jump straight into using the ‘servername\username’ account that is local to the remote system? Or, am I doing this completely wrong and there’s a better way? :slight_smile:

Thanks!!

You could try to actually run the task with the account of the remote computer. Or you may try to create a share on the remote workgroup computer and give the needed rights to the domain account you’re using to run the task.

Thanks Olaf. Issue there is, I believe, that neither computer knows anything about the identities of the other. In other words, on the off-domain server, how could I tell it to only permit access to (authenticated) domain user ‘xyz’ when it has no means of authenticating it (no Kerberos)? And likewise, on the domain computer, there’s no means of assuming the identity of a static local account on another system – unless I’m misunderstanding something.

I cannot test at the moment but if I remember right and you have a proper working DNS it should work just as expected. You specify the user of the remote computer with “ComputerName\Username” and the domain user with “Domain\UserName”. At least it will not hurt you when you try it. :wink:

BTW:

When you crosspost the same question at the same time to different forums you should at least post links to the other forums along with your question to avoid people willing to help you making their work twice or more.

Thanks in advance

Thanks, I’ll give the earlier suggestion a look.

Regarding the cross-posting: not sure how it saves anyone much of anything – if it’s the same person considering responding, surely they’d know it’s the same question. And if it’s someone else with different ideas, and those ideas work, then I’ll happily close both posts with whatever solution works, so both communities will benefit.

Usually it’s part of the forum rules as well and it will not kill you and it is polite, don’t you think? :wink:

That’s fair. IME most “real life” issues people have with cross-posts is that some kind of offense has been taken, and/or admittedly, many (most?) people don’t bother closing out threads – ANY of them! – once a solution has been found. Which annoys me as well. So in that instance I can see the value of linking, in case someone closes out one forum but not another.

Once I do get something working (hoping within next day or two) I’ll be sure to close things out and share how it goes.

1 Like

Just throwing this out there out of curiosity. What happens if you change your creds to “.\username” which indicates a local account to the system?