29 Oct 2013 @ 6:47 AM 

Trusts… most of the times you create them and never look back… until you have to create a new one.
So what about legacy/ancient trusts? Trusts you don’t need? Trusts that aren’t in use?
Again a post that goes in the category of a clean ‘n healthy environment: A PowerShell function to find stale trusts in your Active Directory.
…and trust me when I write that this can be an eye-opener in many environments :-)

function Get-ADStaleTrusts {
    <#
    .SYNOPSIS
    Performs an inventory of the trusts in your Active Directory environment.
    .DESCRIPTION
    PErforms an inventory of the trusts in your Active Directory environment
    by using the repadmin tool. Both outgoing and incoming trusts are shown
    with their last succesful synchronization date.
    .EXAMPLE
    This example shows how to start the function.
    PS E:\> Get-ADStateTrusts
    .NOTES
    Author:   Jeff Wouters
    Requires: Active Directory PowerShell module
    #>
    $Items = Get-ADObject -Filter {ObjectClass -eq "trustedDomain"} | Sort-Object
    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | Select-Object -ExpandProperty 'PDCRoleOwner'
    foreach ($Item in $Items) {
        $QueryResult = repadmin /showobjmeta $PDC ($Item.DistinguishedName)
        foreach ($Query in $QueryResult) { 
            foreach ($Line in $Query) {
                if (($Line -match '(\d+)-(\d+)-(\d+) (\d+):(\d+):(?:\d+)') -and (($Line -like "*trustAuthIncoming*") -or ($Line -like "*trustAuthOutgoing*"))) {
                    $Object = New-Object -TypeName PSObject
                    $TargetFullName = [regex]::match($Line,'([a-zA-Z0-9]+)\\[a-zA-Z0-9]{3}-[a-zA-Z0-9]{4}-[a-zA-Z0-9]{6}').value
                    $Target = [regex]::match($Line,'[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}').value
                    $Date = [regex]::match($Line,'(\d{4})-(\d{2})-(\d{2})').value
                    $Time = [regex]::match($Line,'(\d{2}):(\d{2}):(?:\d{2})').value
                    $InOut = [regex]::match($Line,'(trustAuthIncoming|trustAuthOutgoing)').value
                    $Object | Add-Member -MemberType NoteProperty -name 'Trust' -Value $Item.Name
                    if ($TargetFullName -ne "") {
                        $Object | Add-Member -MemberType NoteProperty -Name 'Target' -Value $TargetFullName
                    } else {
                        $Object | Add-Member -MemberType NoteProperty -Name 'Target' -Value $Target
                    }
                    $Object | Add-Member -MemberType NoteProperty -Name 'LastSyncDate' -Value $Date
                    $Object | Add-Member -MemberType NoteProperty -Name 'LastSyncTime' -Value $Time
                    $Object | Add-Member -MemberType NoteProperty -Name 'InOut' -Value $InOut
                    $Object
                }
            }
        }
    }
}

Please note that this is not a 100% fullproof way of checking if a trust is stale or note… but it is the way I found to be most accurate :-)

Posted By: Jeff Wouters
Last Edit: 11 Nov 2013 @ 07:35 AM

EmailPermalink
Tags



 Last 50 Posts
 Back
Change Theme...
  • Users » 1
  • Posts/Pages » 339
  • Comments » 486
Change Theme...
  • VoidVoid « Default
  • LifeLife
  • EarthEarth
  • WindWind
  • WaterWater
  • FireFire
  • LightLight

About



    No Child Pages.

Contact



    No Child Pages.

Speaking



    No Child Pages.

Health Check



    No Child Pages.