trust relationships

Our auditors need to do some basic account management auditing of our partners domain. There is a trust relationship between the 2. The auditor has a domain user account in domain A (our network) and Ad users and comps on a machine. He wants to audit domain B whlst logged in to domain A. Is it as simple opening up ADUC and connect to the other domain > browse and list it? WIll that give him full access to query that domain - even though they dont have any account in there domain - and only a domain user account in domain A i.e no elevated domain permissions?
LVL 3
pma111Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
netjgrnautConnect With a Mentor Commented:
The trust relationship as you describe it (domain B trusts domain A) will grant your auditor whatever level of access is granted to "authenticated users" in domain B.  Typically this is enough to read data using ADUC, though it is trivial for an administrator to filter/hide objects from view.

NET USER [username] /DOMAIN only does lookups against the currently authenticated domain.  Not suitable for your purpose.

If you have PowerShell installed on the auditor's workstation, I'd recommend the Quest PowerShell Commands for AD.

Hope that helps!
0
 
pma111Author Commented:
plus is there anyway to extend NET commands to another domain, i.e. run NET USER otherdomainuser_fromdomainB whilst logged in to domain A?
0
 
pma111Author Commented:
If you have PowerShell installed on the auditor's workstation, I'd recommend the Quest PowerShell Commands for AD.

Will that allow them to query similar to NET commands in the other domain?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
pma111Author Commented:
If yes ^ could you perhaps do an example and show how?
0
 
netjgrnautCommented:
Sorry - I was unclear.  Yes, the PowerShell commands (cmdlets) offer a great interface using cmdlets like Get-QADUser, Get-QADGroup, Get-QADMemberOf, and Get-QADGroupMember.

If a visual display for review is all that's required, you need know hardly any PowerShell.

If text-based documentation for attestation is required, a minimal amount of PowerShell scripting knowledge (easy to learn by searching for examples on the web) will do the trick.
0
 
netjgrnautCommented:
What do you want to know?

Get-QADGroupMember "Domain Admins"

Open in new window

<- will list all members of that group.

Get-QADUser

Open in new window

<- will list all user objects in the domain.
Get-QADMemberOf "BOBDOB"

Open in new window

<- will list all groups of which user BOBDOB is a member.

You switch domain context by running

Connect-QADService fqdn.of.domain

Open in new window


before executing the remaining queries.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.