get-adobject – Carl Webster https://www.carlwebster.com The Accidental Citrix Admin - The site for those who find themselves supporting Citrix involuntarily or accidentally Mon, 21 Apr 2014 13:06:56 +0000 en hourly 1 https://wordpress.org/?v=6.8.2 42228915 Finding Domain Trusts in an Active Directory Forest using Microsoft PowerShell https://www.carlwebster.com/finding-domain-trusts-active-directory-forest-using-microsoft-powershell/ https://www.carlwebster.com/finding-domain-trusts-active-directory-forest-using-microsoft-powershell/#comments Mon, 21 Apr 2014 13:06:56 +0000 https://www.carlwebster.com/?p=7066 For my Active Directory (AD) documentation script, I needed to enumerate all Trusts for a Domain. I found a script on TechNet but it had issues. I fixed the issues but I cannot post it as a solution on TechNet because my script is longer than 2000 characters.

I found the original script here.

My issues with the original script are:

  • No error checking
  •  Did not handle singletons
  •  Did not use its $DomainDNS variable in the Get-ADObject call to specify which domain to restrict the trusts
  •  The $TrustAttributesNumber variable used decimal values instead of hexadecimal values (i.e. 20 instead of 32)
  •  The $TrustAttributesNumber variable did not have a value for Inter-Forest trusts (hex 64)
  •  The Switch statements did not use Default but used an If statement after the Switch statement to set the Default value

Here is my version of the script.

#http://gallery.technet.microsoft.com/scriptcenter/Enumerate-Domain-Trusts-25ecb802#content
Import-module ActiveDirectory
$Domains = (Get-ADForest).Domains

If($? -and $Domains -ne $Null)
{
	ForEach($Domain in $Domains)
	{ 
		Write-output "Get list of AD Domain Trusts in $Domain `r"; 
		$ADDomainTrusts = Get-ADObject -Filter {ObjectClass -eq "trustedDomain"} -Server $Domain -Properties * -EA 0

		If($? -and $ADDomainTrusts -ne $Null)
		{
			If($ADDomainTrusts -is [array])
			{
				[int]$ADDomainTrustsCount = $ADDomainTrusts.Count 
			}
			Else
			{
				[int]$ADDomainTrustsCount = 1
			}
			
			Write-Output "Discovered $ADDomainTrustsCount trusts in $Domain" 
			
			ForEach($Trust in $ADDomainTrusts) 
			{ 
				$TrustName = $Trust.Name 
				$TrustDescription = $Trust.Description 
				$TrustCreated = $Trust.Created 
				$TrustModified = $Trust.Modified 
				$TrustDirectionNumber = $Trust.TrustDirection
				$TrustTypeNumber = $Trust.TrustType
				$TrustAttributesNumber = $Trust.TrustAttributes

				#http://msdn.microsoft.com/en-us/library/cc220955.aspx
				#no values are defined at the above link
				Switch ($TrustTypeNumber) 
				{ 
					1 { $TrustType = "Downlevel (Windows NT domain external)"} 
					2 { $TrustType = "Uplevel (Active Directory domain - parent-child, root domain, shortcut, external, or forest)"} 
					3 { $TrustType = "MIT (non-Windows) Kerberos version 5 realm"} 
					4 { $TrustType = "DCE (Theoretical trust type - DCE refers to Open Group's Distributed Computing Environment specification)"} 
					Default { $TrustType = $TrustTypeNumber }
				} 

				#http://msdn.microsoft.com/en-us/library/cc223779.aspx
				Switch ($TrustAttributesNumber) 
				{ 
					1 { $TrustAttributes = "Non-Transitive"} 
					2 { $TrustAttributes = "Uplevel clients only (Windows 2000 or newer"} 
					4 { $TrustAttributes = "Quarantined Domain (External)"} 
					8 { $TrustAttributes = "Forest Trust"} 
					16 { $TrustAttributes = "Cross-Organizational Trust (Selective Authentication)"} 
					32 { $TrustAttributes = "Intra-Forest Trust (trust within the forest)"} 
					64 { $TrustAttributes = "Inter-Forest Trust (trust with another forest)"} 
					Default { $TrustAttributes = $TrustAttributesNumber }
				} 
				 
				#http://msdn.microsoft.com/en-us/library/cc223768.aspx
				Switch ($TrustDirectionNumber) 
				{ 
					0 { $TrustDirection = "Disabled (The trust relationship exists but has been disabled)"} 
					1 { $TrustDirection = "Inbound (TrustING domain)"} 
					2 { $TrustDirection = "Outbound (TrustED domain)"} 
					3 { $TrustDirection = "Bidirectional (two-way trust)"} 
					Default { $TrustDirection = $TrustDirectionNumber }
				}
					   
				Write-output "`tTrust Name: $TrustName `r " 
				Write-output "`tTrust Description: $TrustDescription `r " 
				Write-output "`tTrust Created: $TrustCreated `r " 
				Write-output "`tTrust Modified: $TrustModified  `r " 
				Write-output "`tTrust Direction: $TrustDirection `r " 
				Write-output "`tTrust Type: $TrustType `r " 
				Write-output "`tTrust Attributes: $TrustAttributes `r " 
				Write-output " `r " 
			}
		}
		ElseIf(!$?)
		{
			#error retrieving domain trusts
			Write-output "Error retrieving domain trusts for $Domain"
		}
		Else
		{
			#no domain trust data
			Write-output "No domain trust data for $Domain"
		}
	} 
}
ElseIf(!$?)
{
	#error retrieving domains
	Write-output "Error retrieving domains"
}
Else
{
	#no domain data
	Write-output "No domain data"
}

The original script only processed the domain in which the user was running the script. I changed it to process all domains in the forest.

I am using Write-Output as that is what the original script uses. I will update this code to work in my script using my normal output routines.

Thanks

Webster

]]> https://www.carlwebster.com/finding-domain-trusts-active-directory-forest-using-microsoft-powershell/feed/ 15 7066