At a higher level, if you have doman admins in child domain 1 who are not domain admins in child domain 2, and you don't trust them (and by trust them I mean trust them as domain admins of every domain), then you have a fundamental security problem.
A domain admin in any one domain in a forest can easily be a domain admin in every domain if [s]he wants to be. Thanks, Brian Desmond [email protected] c - 312.731.3132 Active Directory, 4th Ed - http://www.briandesmond.com/ad4/ Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian -----Original Message----- From: Free, Bob [mailto:[email protected]] Sent: Wednesday, February 25, 2009 12:14 PM To: NT System Admin Issues Subject: RE: Can AD child domains establish outside trust without parent permission? In the absence of 3rd party tools, probably the simplest way to monitor trust creation/modification is via the security log. You want Policy Change auditing enabled and watch for events 610/611/620 in W2K/W2K3. Different events in 08 but you get the idea. 610- New Trusted Domain 611- Trusted Domain Removed 620- Trusted Domain Information Modified http://technet.microsoft.com/en-us/library/cc781549.aspx From: Anders Blomgren [mailto:[email protected]] Sent: Wednesday, February 25, 2009 2:33 AM To: NT System Admin Issues Subject: Re: Can AD child domains establish outside trust without parent permission? Since the forest is the security boundary you can't actually prevent the local domain administrators from forming a direct ntlm trust. You can use the netdom or nltest command line tools to query each domain for trusts. You can also use adfind or dsquery to search for trustedDomain objects in each domain. They'll be under the System container in the default naming context. -Anders On 2/25/09, Jay Kulsh <[email protected]> wrote: Can AD child domains establish outside trust without permission of admin of the parent/root domain? Can this be prevented? If not, how can we monitor this? Thanks. Jay Kulsh So. Pasadena, CA ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
