October 29, 2013

PowerShell function to find stale and old trusts in your Active Directory

Trusts… most of the times you create them and never look back… until you have to create a new one.
So what about legacy/ancient trusts? Trusts you don’t need? Trusts that aren’t in use?
Again a post that goes in the category of a clean ‘n healthy environment: A PowerShell function to find stale trusts in your Active Directory.
…and trust me when I write that this can be an eye-opener in many environments 🙂

function Get-ADStaleTrusts {
    &lt;#
    .SYNOPSIS
    Performs an inventory of the trusts in your Active Directory environment.
    .DESCRIPTION
    PErforms an inventory of the trusts in your Active Directory environment
    by using the repadmin tool. Both outgoing and incoming trusts are shown
    with their last succesful synchronization date.
    .EXAMPLE
    This example shows how to start the function.
    PS E:\&gt; Get-ADStateTrusts
    .NOTES
    Author:   Jeff Wouters
    Requires: Active Directory PowerShell module
    #&gt;
    $Items = Get-ADObject -Filter {ObjectClass -eq "trustedDomain"} | Sort-Object
    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | Select-Object -ExpandProperty 'PDCRoleOwner'
    foreach ($Item in $Items) {
        $QueryResult = repadmin /showobjmeta $PDC ($Item.DistinguishedName)
        foreach ($Query in $QueryResult) { 
            foreach ($Line in $Query) {
                if (($Line -match '(\d+)-(\d+)-(\d+) (\d+):(\d+):(?:\d+)') -and (($Line -like "*trustAuthIncoming*") -or ($Line -like "*trustAuthOutgoing*"))) {
                    $Object = New-Object -TypeName PSObject
                    $TargetFullName = [regex]::match($Line,'([a-zA-Z0-9]+)\\[a-zA-Z0-9]{3}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{6}').value
                    $Target = [regex]::match($Line,'[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}').value
                    $Date = [regex]::match($Line,'(\d{4})-(\d{2})-(\d{2})').value
                    $Time = [regex]::match($Line,'(\d{2}):(\d{2}):(?:\d{2})').value
                    $InOut = [regex]::match($Line,'(trustAuthIncoming|trustAuthOutgoing)').value
                    $Object | Add-Member -MemberType NoteProperty -name 'Trust' -Value $Item.Name
                    if ($TargetFullName -ne "") {
                        $Object | Add-Member -MemberType NoteProperty -Name 'Target' -Value $TargetFullName
                    } else {
                        $Object | Add-Member -MemberType NoteProperty -Name 'Target' -Value $Target
                    }
                    $Object | Add-Member -MemberType NoteProperty -Name 'LastSyncDate' -Value $Date
                    $Object | Add-Member -MemberType NoteProperty -Name 'LastSyncTime' -Value $Time
                    $Object | Add-Member -MemberType NoteProperty -Name 'InOut' -Value $InOut
                    $Object
                }
            }
        }
    }
}

function Get-ADStaleTrusts {

.SYNOPSIS

Performs an inventory of the trusts in your Active Directory environment.

.DESCRIPTION

PErforms an inventory of the trusts in your Active Directory environment

by using the repadmin tool. Both outgoing and incoming trusts are shown

with their last succesful synchronization date.

.EXAMPLE

This example shows how to start the function.

PS E:\> Get-ADStateTrusts

.NOTES

Author: Jeff Wouters

Requires: Active Directory PowerShell module

$Items = Get-ADObject -Filter {ObjectClass -eq "trustedDomain"} | Sort-Object

$PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | Select-Object -ExpandProperty 'PDCRoleOwner'

foreach ($Item in $Items) {

$QueryResult = repadmin /showobjmeta $PDC ($Item.DistinguishedName)

foreach ($Query in $QueryResult) {

foreach ($Line in $Query) {

if (($Line -match '(\d+)-(\d+)-(\d+) (\d+):(\d+):(?:\d+)') -and (($Line -like "*trustAuthIncoming*") -or ($Line -like "*trustAuthOutgoing*"))) {

$Object = New-Object -TypeName PSObject

$TargetFullName = [regex]::match($Line,'([a-zA-Z0-9]+)\\[a-zA-Z0-9]{3}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{6}').value

$Target = [regex]::match($Line,'[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}').value

$Date = [regex]::match($Line,'(\d{4})-(\d{2})-(\d{2})').value

$Time = [regex]::match($Line,'(\d{2}):(\d{2}):(?:\d{2})').value

$InOut = [regex]::match($Line,'(trustAuthIncoming|trustAuthOutgoing)').value

$Object | Add-Member -MemberType NoteProperty -name 'Trust' -Value $Item.Name

if ($TargetFullName -ne "") {

$Object | Add-Member -MemberType NoteProperty -Name 'Target' -Value $TargetFullName

} else {

$Object | Add-Member -MemberType NoteProperty -Name 'Target' -Value $Target

}

$Object | Add-Member -MemberType NoteProperty -Name 'LastSyncDate' -Value $Date

$Object | Add-Member -MemberType NoteProperty -Name 'LastSyncTime' -Value $Time

$Object | Add-Member -MemberType NoteProperty -Name 'InOut' -Value $InOut

$Object

}

Please note that this is not a 100% fullproof way of checking if a trust is stale or note… but it is the way I found to be most accurate 🙂

JeffOps

PowerShell function to find stale and old trusts in your Active Directory

Leave a Reply Cancel reply

Archives