Jan. 14, 2011, 5:02 p.m.
posted by sensei
New to Windows Server 2003 is the Trustmon WMI provider. The Trustmon provider allows you to query the list of trusts supported on a domain controller and determine if they are working correctly. The Trustmon provider consists of three classes, but the primary one is the Microsoft_DomainTrustStatus class, which represents each trust the domain controller knows about. The Trustmon provider is contained under the root\MicrosoftActiveDirectory namespace. Note that this namespace is different than for the Active Directory provider, which is contained under root\directory\ldap.
Figure provides a list of the property methods available to this class.
As you can see from Figure, the Microsoft_DomainTrustStatus class provides just about all the information you'd want to know concerning a trust. The following example shows how easy it is to enumerate all the trusts using this class:
strComputer = "." Set objWMI = GetObject("winmgmts:\\" & strComputer & _ "\root\MicrosoftActiveDirectory") Set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus") For Each objTrust In objTrusts WScript.Echo objTrust.TrustedDomain WScript.Echo " TrustedAttributes: " & objTrust.TrustAttributes WScript.Echo " TrustedDCName: " & objTrust.TrustedDCName WScript.Echo " TrustedDirection: " & objTrust.TrustDirection WScript.Echo " TrustIsOk: " & objTrust.TrustIsOK WScript.Echo " TrustStatus: " & objTrust.TrustStatus WScript.Echo " TrustStatusString: " & objTrust.TrustStatusString WScript.Echo " TrustType: " & objTrust.TrustType WScript.Echo "" Next WScript.Echo "The script has completed successfully."
Next, let's illustrate a script that finds any trust that has some kind of failure. All we need to do is modify the WQL query in the previous example to include a whereTrustIsOk = False clause. We then print out the trustStatusString property, which will return a description of the failure:
strComputer = "." Set objWMI = GetObject("winmgmts:\\" & strComputer & _ "\root\MicrosoftActiveDirectory") Set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus " & _ "where TrustIsOk = False ") If objTrusts.Count = 0 Then WScript.Echo "There are no trust failures" Else For Each objTrust In objTrusts WScript.Echo objTrust.TrustedDomain & " - " & objTrust.TrustStatusString WScript.Echo "" Next End If WScript.Echo "The script has completed successfully."
One of the neat features of the Trustmon provider is that it is configurable. Through WMI, you can modify what type of checks it does to determine trust failures and also how long to cache information it retrieves. All of this is done with the Microsoft_TrustProvider class. Figure contains a list of all property methods for this class.
Now we will show a simple script that changes the default settings for the Trustmon provider. In the following example, we set the trustListLifetime to 15 minutes, the trustStatusLifetime to five minutes, and the TRustCheckLevel to 1:
strComputer = "." Set objTrustProv = GetObject("winmgmts:\\" & strComputer & _ "\root\MicrosoftActiveDirectory:Microsoft_TrustProvider=@") objTrustProv.TrustListLifetime = 15 ` 15 minutes objTrustProv.TrustStatusLifetime = 5 ` 5 minutes objTrustProv.TrustCheckLevel = 1 ` Enumerate with SC_QUERY objTrustProv.Put_ WScript.Echo "The script has completed successfully."
The Trustmon provider is a great example of how to utilize WMI in the Active Directory space. What previously could only have been done with command-line utilities or MMC snap-ins can now be done programmatically very easily.