Forest trusts provide a way for resources in an Active Directory forest to trust identities from another forest. This trust can be configured in both directions. The trusted forest is the source of user identity. The trusting forest contains the resource to which users authenticate. The trusted forest can authenticate users to the trusting forest without allowing the reverse to occur.
To scan for forests that have incoming trusts that allow TGT delegation, and to find any security principals that allow unconstrained delegation, run the following PowerShell scripts in a script file (for example, Get-RiskyServiceAccountsByTrust.ps1 -Collect):
FoldFold allExpandExpand allAre you sure you want to delete this link?Are you sure you want to delete this tag?
The personal, minimalist, super-fast, database free, bookmarking service by the Shaarli community