Solved

trust relationships

Posted on 2011-09-19
6
499 Views
Last Modified: 2012-05-12
Our auditors need to do some basic account management auditing of our partners domain. There is a trust relationship between the 2. The auditor has a domain user account in domain A (our network) and Ad users and comps on a machine. He wants to audit domain B whlst logged in to domain A. Is it as simple opening up ADUC and connect to the other domain > browse and list it? WIll that give him full access to query that domain - even though they dont have any account in there domain - and only a domain user account in domain A i.e no elevated domain permissions?
0
Comment
Question by:pma111
  • 3
  • 3
6 Comments
 
LVL 3

Author Comment

by:pma111
ID: 36559812
plus is there anyway to extend NET commands to another domain, i.e. run NET USER otherdomainuser_fromdomainB whilst logged in to domain A?
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
ID: 36559874
The trust relationship as you describe it (domain B trusts domain A) will grant your auditor whatever level of access is granted to "authenticated users" in domain B.  Typically this is enough to read data using ADUC, though it is trivial for an administrator to filter/hide objects from view.

NET USER [username] /DOMAIN only does lookups against the currently authenticated domain.  Not suitable for your purpose.

If you have PowerShell installed on the auditor's workstation, I'd recommend the Quest PowerShell Commands for AD.

Hope that helps!
0
 
LVL 3

Author Comment

by:pma111
ID: 36559879
If you have PowerShell installed on the auditor's workstation, I'd recommend the Quest PowerShell Commands for AD.

Will that allow them to query similar to NET commands in the other domain?
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 3

Author Comment

by:pma111
ID: 36559887
If yes ^ could you perhaps do an example and show how?
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 36559901
Sorry - I was unclear.  Yes, the PowerShell commands (cmdlets) offer a great interface using cmdlets like Get-QADUser, Get-QADGroup, Get-QADMemberOf, and Get-QADGroupMember.

If a visual display for review is all that's required, you need know hardly any PowerShell.

If text-based documentation for attestation is required, a minimal amount of PowerShell scripting knowledge (easy to learn by searching for examples on the web) will do the trick.
0
 
LVL 6

Expert Comment

by:netjgrnaut
ID: 36559916
What do you want to know?

Get-QADGroupMember "Domain Admins"

Open in new window

<- will list all members of that group.

Get-QADUser

Open in new window

<- will list all user objects in the domain.
Get-QADMemberOf "BOBDOB"

Open in new window

<- will list all groups of which user BOBDOB is a member.

You switch domain context by running

Connect-QADService fqdn.of.domain

Open in new window


before executing the remaining queries.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
In-place Upgrading Dirsync to Azure AD Connect
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question