I recently received an email asking how to find old trusts. I sent back an AdFind query that will list all trusts and when they last had a password change. That query is
adfind -default -rb cn=users -f "&(objectcategory=person)(name=*$)" pwdlastset -tdcd -sort pwdlastset
The command looks in the user’s container of the default domain and looks for any user’s with a name that ends in $ which will be your trusts unless you have monkeyed around with placing $ on the end of user names and keep them in your user’s container. It then outputs the pwdlastset attribute with my delta format output which looks like…
pwdLastSet: 2009/08/16-17:18:18 Eastern Daylight Time (-3 days 21 hours 17 minutes 47 seconds)
In this example, the password was changed almost 4 days ago.
Next I added a switch to force a sort on the attribute so that things come out in sorted order oldest to newest.
Anything that is older than 30 days is an old trust that is not being maintained as the passwords should be updated at least every 30 days.
As I write this, I realize I could have given an even better answer by having the LDAP query filter out any trusts with a password that was newer than 30 days like so…
adfind -default -rb cn=users –binenc -f "&(objectcategory=person)(name=*$)(pwdlastset<={{CURRENT:-31d}})" pwdlastset -tdcd -sort pwdlastset
Which adds another switch, –binenc which tells AdFind to look at the LDAP query and make some mods based on string matches and also added in another component of the filter to specify I want passwords that are newer than 31 days ago.
If you need to look at a specific domain, add –h domainname to the command and it will go to that domain instead.
joe