Solved

trust relationships

Posted on 2011-09-19
6
496 Views
Last Modified: 2012-05-12
Our auditors need to do some basic account management auditing of our partners domain. There is a trust relationship between the 2. The auditor has a domain user account in domain A (our network) and Ad users and comps on a machine. He wants to audit domain B whlst logged in to domain A. Is it as simple opening up ADUC and connect to the other domain > browse and list it? WIll that give him full access to query that domain - even though they dont have any account in there domain - and only a domain user account in domain A i.e no elevated domain permissions?
0
Comment
Question by:pma111
  • 3
  • 3
6 Comments
 
LVL 3

Author Comment

by:pma111
ID: 36559812
plus is there anyway to extend NET commands to another domain, i.e. run NET USER otherdomainuser_fromdomainB whilst logged in to domain A?
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
ID: 36559874
The trust relationship as you describe it (domain B trusts domain A) will grant your auditor whatever level of access is granted to "authenticated users" in domain B.  Typically this is enough to read data using ADUC, though it is trivial for an administrator to filter/hide objects from view.

NET USER [username] /DOMAIN only does lookups against the currently authenticated domain.  Not suitable for your purpose.

If you have PowerShell installed on the auditor's workstation, I'd recommend the Quest PowerShell Commands for AD.

Hope that helps!
0
 
LVL 3

Author Comment

by:pma111
ID: 36559879
If you have PowerShell installed on the auditor's workstation, I'd recommend the Quest PowerShell Commands for AD.

Will that allow them to query similar to NET commands in the other domain?
0
 
LVL 3

Author Comment

by:pma111
ID: 36559887
If yes ^ could you perhaps do an example and show how?
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 36559901
Sorry - I was unclear.  Yes, the PowerShell commands (cmdlets) offer a great interface using cmdlets like Get-QADUser, Get-QADGroup, Get-QADMemberOf, and Get-QADGroupMember.

If a visual display for review is all that's required, you need know hardly any PowerShell.

If text-based documentation for attestation is required, a minimal amount of PowerShell scripting knowledge (easy to learn by searching for examples on the web) will do the trick.
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 36559916
What do you want to know?

Get-QADGroupMember "Domain Admins"

Open in new window

<- will list all members of that group.

Get-QADUser

Open in new window

<- will list all user objects in the domain.
Get-QADMemberOf "BOBDOB"

Open in new window

<- will list all groups of which user BOBDOB is a member.

You switch domain context by running

Connect-QADService fqdn.of.domain

Open in new window


before executing the remaining queries.
0

Join & Write a Comment

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Know what services you can and cannot, should and should not combine on your server.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now