For our trusted corporation workflow we had installed some AD-Domain Trusts like that:
One Active Directory "Master-Domain" with all AD-Users: Dom-A.extra.com
Five extra Active Directory's for different Corporations (corp-domains), for computers and Groups for Fileserver and Domain-Logon Access.
Dom-1.intra
Dom-2.intra
Dom-3.intra
Dom-4.intra
Dom-5.intra
Our working "User<->Group" mapping: user (from master-domain) is in a local-Domain-security-group (from corp-domain).
To audit my users and list their permissions out I need to see all groups for it.
like:
user-1 (from master-domain..) has groupmembership:
Domain: Dom-A.extra.com
Group: all-chat
Group: all-pub
Group: all-vpn
Domain: Dom-1.intra
Group: filesrv_A
Domain: Dom-2.intra
Group: remote_B
Domain: Dom-3.intra
Group: filesrv_C
In the user-tab groupmembership
I can only see domain-local groups but not the remote groups from the domain-trusts.
If I look in the domain-trusted groups I see the ad-users, but this is not really audit like.
I tested some ps
commands like get-adgroupmember
, but all of them filter for user (in trusted domain there is no user) or show only local groups (on master-domain).
Any suggestions?