In the absence of 3rd party tools, probably the simplest way to monitor trust creation/modification is via the security log. You want Policy Change auditing enabled and watch for events 610/611/620 in W2K/W2K3. Different events in 08 but you get the idea.
610- New Trusted Domain 611- Trusted Domain Removed 620- Trusted Domain Information Modified http://technet.microsoft.com/en-us/library/cc781549.aspx From: Anders Blomgren [mailto:[email protected]] Sent: Wednesday, February 25, 2009 2:33 AM To: NT System Admin Issues Subject: Re: Can AD child domains establish outside trust without parent permission? Since the forest is the security boundary you can't actually prevent the local domain administrators from forming a direct ntlm trust. You can use the netdom or nltest command line tools to query each domain for trusts. You can also use adfind or dsquery to search for trustedDomain objects in each domain. They'll be under the System container in the default naming context. -Anders On 2/25/09, Jay Kulsh <[email protected]> wrote: Can AD child domains establish outside trust without permission of admin of the parent/root domain? Can this be prevented? If not, how can we monitor this? Thanks. Jay Kulsh So. Pasadena, CA ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
