Is my AD trust being used at all...

  • 117 Views
  • Last Post 28 December 2017
JakobTrier posted this 05 December 2017

Imagine that you have Forest A and Forest B with one domain in each.
An there is a two way trust between the two domains.
There are a lot of users in both domains who make use of services in their own domain.
And there used to be people in both domains making use of services in the other domain, but you are not sure if there are still any such users.
How would it be possible to identify users making use of the trust?
A user from the domain in Forest A could access services in Forest B using an account in Forest B. So I can not make sure the trust is not being used by looking at what IP's traffic to the domain controllers in each domain is coming from.
Is there a way to enable some logging on the domain controllers that can identify if the trust is being used and by whom?
I am also concerned about the ability to catch users from one domain being members of groups in the other domain....
BrgdsJakob

Order By: Standard | Newest | Votes
JakobTrier posted this 25 December 2017

Imagine that you have Forest A and Forest B with one domain in each.
An there is a two way trust between the two domains.
There are a lot of users in both domains who make use of services in their own domain.
And there used to be people in both domains making use of services in the other domain, but you are not sure if there are still any such users.
How would it be possible to identify users making use of the trust?
A user from the domain in Forest A could access services in Forest B using an account in Forest B. So I can not make sure the trust is not being used by looking at what IP's traffic to the domain controllers in each domain is coming from.
Is there a way to enable some logging on the domain controllers that can identify if the trust is being used and by whom?
BrgdsJakob

kurtbuff posted this 26 December 2017

I'd expect that event ID 4624 would log what you need:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624

Since it logs not just the account, but also the domain, that should
provide the needed data.

Kurt

show

ken posted this 26 December 2017

If a user from ForestA is using an account from ForestB, to access resources in ForestB, then the simplest solution would be (IMHO):



  • Implement a policy that users must use an account from their primary domain. Then disable the accounts in ForestB, thus forcing use of accounts

    from ForestA, and enable auditing as required
  • If that’s not possible, you will probably need to comb through logon events in ForestB, looking for known accounts that correspond to users

    in ForestA.


 

Regards


Ken

 

show

stevelane85 posted this 28 December 2017

Check for user in a group in a different domain:
https://stackoverflow.com/questions/29394568/check-for-user-in-a-group-in-a-different-domain

Monitoring User Logons in a Domain Using Native Auditing:
https://www.lepide.com/how-to/monitor-user-logons-in-domain.html

Close