Solved

trust relationships

Posted on 2011-09-19
6
500 Views
Last Modified: 2012-05-12
Our auditors need to do some basic account management auditing of our partners domain. There is a trust relationship between the 2. The auditor has a domain user account in domain A (our network) and Ad users and comps on a machine. He wants to audit domain B whlst logged in to domain A. Is it as simple opening up ADUC and connect to the other domain > browse and list it? WIll that give him full access to query that domain - even though they dont have any account in there domain - and only a domain user account in domain A i.e no elevated domain permissions?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 3

Author Comment

by:pma111
ID: 36559812
plus is there anyway to extend NET commands to another domain, i.e. run NET USER otherdomainuser_fromdomainB whilst logged in to domain A?
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
ID: 36559874
The trust relationship as you describe it (domain B trusts domain A) will grant your auditor whatever level of access is granted to "authenticated users" in domain B.  Typically this is enough to read data using ADUC, though it is trivial for an administrator to filter/hide objects from view.

NET USER [username] /DOMAIN only does lookups against the currently authenticated domain.  Not suitable for your purpose.

If you have PowerShell installed on the auditor's workstation, I'd recommend the Quest PowerShell Commands for AD.

Hope that helps!
0
 
LVL 3

Author Comment

by:pma111
ID: 36559879
If you have PowerShell installed on the auditor's workstation, I'd recommend the Quest PowerShell Commands for AD.

Will that allow them to query similar to NET commands in the other domain?
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 3

Author Comment

by:pma111
ID: 36559887
If yes ^ could you perhaps do an example and show how?
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 36559901
Sorry - I was unclear.  Yes, the PowerShell commands (cmdlets) offer a great interface using cmdlets like Get-QADUser, Get-QADGroup, Get-QADMemberOf, and Get-QADGroupMember.

If a visual display for review is all that's required, you need know hardly any PowerShell.

If text-based documentation for attestation is required, a minimal amount of PowerShell scripting knowledge (easy to learn by searching for examples on the web) will do the trick.
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 36559916
What do you want to know?

Get-QADGroupMember "Domain Admins"

Open in new window

<- will list all members of that group.

Get-QADUser

Open in new window

<- will list all user objects in the domain.
Get-QADMemberOf "BOBDOB"

Open in new window

<- will list all groups of which user BOBDOB is a member.

You switch domain context by running

Connect-QADService fqdn.of.domain

Open in new window


before executing the remaining queries.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question