Recipe 2.19 Viewing the Trusts for a Domain

2.19.1 Problem

You want to view the trusts for a domain.

2.19.2 Solution Using a graphical user interface
  1. Open the Active Directory Domains and Trusts snap-in.

  2. In the left pane, right-click the domain you want to view and select Properties.

  3. Click on the Trusts tab. Using a command-line interface
> netdom query trust /Domain:<DomainDNSName> Using VBScript
' This code prints the trusts for the specified domain.
strDomain = "<DomainDNSName>"   ' e.g.
' ------ END CONFIGURATION ---------

' Trust Direction Constants taken from NTSecAPI.h
set objTrustDirectionHash = CreateObject("Scripting.Dictionary")
objTrustDirectionHash.Add "DIRECTION_DISABLED", 0
objTrustDirectionHash.Add "DIRECTION_INBOUND",  1
objTrustDirectionHash.Add "DIRECTION_OUTBOUND", 2
objTrustDirectionHash.Add "DIRECTION_BIDIRECTIONAL", 3

' Trust Type Constants - taken from NTSecAPI.h
set objTrustTypeHash = CreateObject("Scripting.Dictionary")
objTrustTypeHash.Add "TYPE_DOWNLEVEL", 1
objTrustTypeHash.Add "TYPE_UPLEVEL", 2
objTrustTypeHash.Add "TYPE_MIT", 3
objTrustTypeHash.Add "TYPE_DCE", 4

' Trust Attribute Constants - taken from NTSecAPI.h
set objTrustAttrHash = CreateObject("Scripting.Dictionary")

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objTrusts  = GetObject("LDAP://cn=System," & _
                            objRootDSE.Get("defaultNamingContext") )
objTrusts.Filter = Array("trustedDomain")
Wscript.Echo "Trusts for " & strDomain & ":"

for each objTrust in objTrusts
   for each strFlag In objTrustDirectionHash.Keys
      if objTrustDirectionHash(strFlag) = objTrust.Get("trustDirection") then
         strTrustInfo = strTrustInfo & strFlag & " "
      end If

   for each strFlag In objTrustTypeHash.Keys
      if objTrustTypeHash(strFlag) = objTrust.Get("trustType") then 
         strTrustInfo = strTrustInfo & strFlag & " "
      end If

   for each strFlag In objTrustAttrHash.Keys
      if objTrustAttrHash(strFlag) = objTrust.Get("trustAttributes") then 
         strTrustInfo = strTrustInfo & strFlag & " "
      end If

   WScript.Echo " " & objTrust.Get("trustPartner") & " : " & strTrustInfo
   strTrustInfo = ""

2.19.3 Discussion Using a graphical user interface

You can view the properties of a particular trust by clicking on a trust and clicking the Properties button. Using a command-line interface

You can include the /Direct switch if you want to view only direct-trust relationships. If you don't use /Direct, implicit trusts that occur due to transitive-trust relationships will also be listed. Using VBScript

This script uses dictionary objects to ease the mapping of the various integer values for attributes, such as trustType and trustDirection, to descriptive names. A dictionary object in VBScript is analogous to a hash or associative array in other programming languages. The Add method accepts a key and value pair to add to the dictionary. The Keys method returns the keys of the dictionary as a collection. To access a value of the dictionary, you simply pass the key name as a parameter to the dictionary object, such as objDictionary( strKey ).

Another option to query trusts programmatically is with the Trustmon WMI Provider. The Trustmon Provider is new to Windows Server 2003. See Recipe 2.20 for an example.

2.19.4 See Also

The Introduction at the beginning of this chapter for attributes of trustedDomain objects, Recipe 2.20 for another way to query trusts programmatically, MS KB 228477 (HOW TO: Determine Trust Relationship Configurations), and MSDN: TRUSTED_DOMAIN_INFORMATION_EX

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List