Active Directory Trusts PowerShell

Hello,

Historically, we manage Active Directory trusts with NetDom.exe, this tool is around since so many years, you’ll found so many resources on Internet. But today, we are in 2015, and PowerShell is king now, let’s see how we can use it  to manage Active Directory trusts.

NetDom.exe

Active Directory Trusts PowerShell with NetDom.exe

NetDom.exe

Active Directory Trusts PowerShell

The .Net Framwork provide us a namespaces for working with Directory Services :

[System.DirectoryServices.ActiveDirectory.Domain]
[System.DirectoryServices.ActiveDirectory.Forest]

As their names suggest, one for forests and one for domains. Each of those have statics methods :

[System.DirectoryServices.ActiveDirectory.Forest] | Get-Member -Static
[System.DirectoryServices.ActiveDirectory.Domain] | Get-Member -Static
Active-Directory-Trusts-PowerShell-Methods

Namespace static Methods

You can use them to get the current domain :

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Active Directory Trusts PowerShell GetCurrentDomain

Get Current Domain

Once you got the domain, you can ask for a lot more :

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | Get-Member
Active Directory Trusts PowerShell GetCurrentDomain Methods

GetCurrentDomain Methods

Here we come, we now have access to some trusts methods.

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().GetAllTrustRelationships()
Active Directory Trusts PowerShell GetCurrentDomain GetAllTrusts

Get All Trusts

If you want more information about that trust, you can ask about selective authentication and SIDFiltering :

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().GetSelectiveAuthenticationStatus('D2K3R2.local')
Active Directory Trusts PowerShell GetCurrentDomain SelectiveAuth

Get SelectiveAuth

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().GetSidFilteringStatus('D2K3R2.local')
Active Directory Trusts PowerShell GetCurrentDomain SidFilterting

Get SidFilterting status

You can disable SID filtering :

Active Directory Trusts PowerShell GetCurrentDomain DisableSidFiltering

Disable SidFiltering

In case you have any doubts :

Active Directory Trusts PowerShell GetCurrentDomain SidFilteringDisabled

Active Directory Trusts PowerShell GetCurrentDomain SidFilteringDisabled

Almost everything we did this NetDom can be done with those methods :

  • CreateLocalSideOfTrustRelationship
  • CreateTrustRelationship
  • DeleteLocalSideOfTrustRelationship
  • DeleteTrustRelationship
  • FindAllDiscoverableDomainControllers
  • FindAllDomainControllers
  • FindDomainController
  • GetAllTrustRelationships
  • GetDirectoryEntry
  • GetSelectiveAuthenticationStatus
  • GetSidFilteringStatus
  • GetTrustRelationship
  • RaiseDomainFunctionality
  • RepairTrustRelationship
  • SetSelectiveAuthenticationStatus
  • SetSidFilteringStatus
  • UpdateLocalSideOfTrustRelationship
  • UpdateTrustRelationship
  • VerifyOutboundTrustRelationship
  • VerifyTrustRelationship

NetDom can retire peacefully, PowerShell got our back 🙂

Additional Information

You can use the forest namespace as well, especially when dealing with forest trusts and multi-domain forest.

The big advantage of PowerShell over NetDom is the ability to automate, with error handling and logging, without any dependences.

Leave a Reply