The world's most trusted forum on Active Directory Security
One of the other things we are looking at is to identify all trusts on whom SID Filtering may be turned off. We understand the implications of SID Filtering being turned off, and thus wan to ensure and just check on a periodic basis as to if this setting may have changed on any of our external trusts.
If you guys monitor this on a periodic basis, could you please let me know how you do so in an efficient manner? I don't particularly like opening up the Trust Management MMC and looking at each trust individually each time we need to do so.
Yes, you can perform a simple LDAP search looking for TrustedDomain objects with the right paramters to make this determination. This should't take too long once you know what parameter-value combination to specify as the search criteria.
“If you can't explain it simply, you don't understand it well enough” - Albert Einstein
Have you looked at adfind? Its a really nifty utility and I'm almost certain could help you identify all trusts for which SID Filtering is turned off.
If you haven't looked at it, I'd consider giving it a shot.
Have you considered adinfo? It is a free tool, much like adfind, but with a UI, and could help you identify all trusts for which SID Filtering is turned off.
Guys, in case you can't decide between adinfo and adfind, there's a good discussion here.