Jeff Wouters's Blog

PowerShell function to find stale and old trusts in your Active Directory

by on Oct.29, 2013, under Active Directory, DuPSUG, Microsoft, PowerShell, Windows, Windows Server

Trusts… most of the times you create them and never look back… until you have to create a new one.
So what about legacy/ancient trusts? Trusts you don’t need? Trusts that aren’t in use?
Again a post that goes in the category of a clean ‘n healthy environment: A PowerShell function to find stale trusts in your Active Directory.
…and trust me when I write that this can be an eye-opener in many environments 🙂

function Get-ADStaleTrusts {
    <#
    .SYNOPSIS
    Performs an inventory of the trusts in your Active Directory environment.
    .DESCRIPTION
    PErforms an inventory of the trusts in your Active Directory environment
    by using the repadmin tool. Both outgoing and incoming trusts are shown
    with their last succesful synchronization date.
    .EXAMPLE
    This example shows how to start the function.
    PS E:\> Get-ADStateTrusts
    .NOTES
    Author:   Jeff Wouters
    Requires: Active Directory PowerShell module
    #>
    $Items = Get-ADObject -Filter {ObjectClass -eq "trustedDomain"} | Sort-Object
    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | Select-Object -ExpandProperty 'PDCRoleOwner'
    foreach ($Item in $Items) {
        $QueryResult = repadmin /showobjmeta $PDC ($Item.DistinguishedName)
        foreach ($Query in $QueryResult) { 
            foreach ($Line in $Query) {
                if (($Line -match '(\d+)-(\d+)-(\d+) (\d+):(\d+):(?:\d+)') -and (($Line -like "*trustAuthIncoming*") -or ($Line -like "*trustAuthOutgoing*"))) {
                    $Object = New-Object -TypeName PSObject
                    $TargetFullName = [regex]::match($Line,'([a-zA-Z0-9]+)\\[a-zA-Z0-9]{3}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{6}').value
                    $Target = [regex]::match($Line,'[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}').value
                    $Date = [regex]::match($Line,'(\d{4})-(\d{2})-(\d{2})').value
                    $Time = [regex]::match($Line,'(\d{2}):(\d{2}):(?:\d{2})').value
                    $InOut = [regex]::match($Line,'(trustAuthIncoming|trustAuthOutgoing)').value
                    $Object | Add-Member -MemberType NoteProperty -name 'Trust' -Value $Item.Name
                    if ($TargetFullName -ne "") {
                        $Object | Add-Member -MemberType NoteProperty -Name 'Target' -Value $TargetFullName
                    } else {
                        $Object | Add-Member -MemberType NoteProperty -Name 'Target' -Value $Target
                    }
                    $Object | Add-Member -MemberType NoteProperty -Name 'LastSyncDate' -Value $Date
                    $Object | Add-Member -MemberType NoteProperty -Name 'LastSyncTime' -Value $Time
                    $Object | Add-Member -MemberType NoteProperty -Name 'InOut' -Value $InOut
                    $Object
                }
            }
        }
    }
}

Please note that this is not a 100% fullproof way of checking if a trust is stale or note… but it is the way I found to be most accurate 🙂


Leave a Reply