[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 510
  • Last Modified:

trust relationships

Our auditors need to do some basic account management auditing of our partners domain. There is a trust relationship between the 2. The auditor has a domain user account in domain A (our network) and Ad users and comps on a machine. He wants to audit domain B whlst logged in to domain A. Is it as simple opening up ADUC and connect to the other domain > browse and list it? WIll that give him full access to query that domain - even though they dont have any account in there domain - and only a domain user account in domain A i.e no elevated domain permissions?
0
pma111
Asked:
pma111
  • 3
  • 3
1 Solution
 
pma111Author Commented:
plus is there anyway to extend NET commands to another domain, i.e. run NET USER otherdomainuser_fromdomainB whilst logged in to domain A?
0
 
netjgrnautCommented:
The trust relationship as you describe it (domain B trusts domain A) will grant your auditor whatever level of access is granted to "authenticated users" in domain B.  Typically this is enough to read data using ADUC, though it is trivial for an administrator to filter/hide objects from view.

NET USER [username] /DOMAIN only does lookups against the currently authenticated domain.  Not suitable for your purpose.

If you have PowerShell installed on the auditor's workstation, I'd recommend the Quest PowerShell Commands for AD.

Hope that helps!
0
 
pma111Author Commented:
If you have PowerShell installed on the auditor's workstation, I'd recommend the Quest PowerShell Commands for AD.

Will that allow them to query similar to NET commands in the other domain?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
pma111Author Commented:
If yes ^ could you perhaps do an example and show how?
0
 
netjgrnautCommented:
Sorry - I was unclear.  Yes, the PowerShell commands (cmdlets) offer a great interface using cmdlets like Get-QADUser, Get-QADGroup, Get-QADMemberOf, and Get-QADGroupMember.

If a visual display for review is all that's required, you need know hardly any PowerShell.

If text-based documentation for attestation is required, a minimal amount of PowerShell scripting knowledge (easy to learn by searching for examples on the web) will do the trick.
0
 
netjgrnautCommented:
What do you want to know?

Get-QADGroupMember "Domain Admins"

Open in new window

<- will list all members of that group.

Get-QADUser

Open in new window

<- will list all user objects in the domain.
Get-QADMemberOf "BOBDOB"

Open in new window

<- will list all groups of which user BOBDOB is a member.

You switch domain context by running

Connect-QADService fqdn.of.domain

Open in new window


before executing the remaining queries.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now