Skip to main content

· 6 min read
Hannes Palmquist

One of the things I have helped clients with is to setup Active Directory Forest Trusts. If the trust can be setup as “Forest trust”, “Two-way”, “Forest-wide auth”, “conditional forward for DNS”, “no firewall” anyone can manage to setup a forest trust. In reality though it rarely is that simple. Recently I was asked to setup a trust in a more complex scenario.

  • Forest trust
  • One-way
  • Selective Authentication
  • No AD DNS (Third party DNS in both organizations).
    • Not allowed to setup a stub zone or conditional forward
  • And last but not least strict security policies for firewall rules

Scenario and definitions

The scenario came from the acquisition of another company and during the consolidation of the two organization the trust was setup so that the migrated users could access a few legacy systems until all resources was migrated. In the table below the scenario is defined.

PropertyForest AForest B
Trust DirectionIncomingOutgoing
Direction of Access->->
Direction of Trust<-<-

Configure trust options

For forest trust authentication there are two options. Selective Authentication and Forest-wide authentication. With forest-wide authentication the trusting forest will allow all authentication requests to authenticate. This means that all users in the trusted forest can authenticate in the trusting forest. This also means that all users in the trusted forest implicitly is added to the “Authenticated Users” group in AD. This is not always desirable. Sometimes common file shares has “authenticated users” as an permission group (which of course is bad). Authenticated users are also granted some read permissions in Active Directory by default. This means that you can enumerate users and quite a lot or their attributes.

To mitigate this the authentication method “Selective Authentication” exists. This mode will deny all authentication requests by default. This means that for a user from the trusted forest to authenticate to a resource, that user needs to be granted the “Allowed to authenticate” permission on the resources active directory computer object. This allows us to control which users can authenticate, to which resource in addition to the standard permission for the resource itself.

In this scenario “Selective Authentication” is selected.

Configure network port openings

Most likely there is a firewall between the two organizations and active directory by nature uses a lot of different ports for different type of communication. There are many blogs, articles that try to summarize whats ports are needed for a forest trust but all of them manage to include a lot of ports that are often not needed or for specific scenarios or types of trusts. In our scenario I didn’t want to order port openings that I couldn’t motivate that we needed in this specific case. Below is a list of the ports that I ended up with a bare minimum to setup a working trust according to our requirements.


Note that even though the trust is one-way does not mean that the communication is. These ports needs to be opened from domain controllers in ForestA to domain controllers in ForestB and vice versa

88TCPKerberosUsed for DC AuthMandatory
88UDPKerberosUsed for DC AuthMandatory
135TCPRPC Endpoint MapperUsed to establish a RPC endpointMandatory
389TCPLDAPUsed for LDAP commMandatory
389UDPLDAPUsed for LDAP commMandatory
455TCPSMBUsed for trust establishment. Can be removed post trust configuration.Mandatory during setup
1024-65535TCPRPCRPC High ports returned by RPC Endpoint mapperMandatory

Configure DNS records

Often DNS can be configured by just setting up a AD DNS conditional forward for the other forest. This will allow all necessary DNS records to be resolved by the respective forest. In this scenario though we were not allowed to do that and instead create the DNS records manually. Almost no documentation exists for this scenario so here comes the least amount of DNS records required to successfully set up the forest trust.




  • All domain controllers that should serve the trust needs to be added as A records.
  • Make sure that the KDC and PDC are among these domain controllers.


  • Subdomain “_msdcs” of “” needs to be created
  • Subdomain “dc” of domain “” needs to be created
  • Subdomain “pdc” of domain “” needs to be created if both sides of the forest trust should be created from one of the sides.
  • Note the trailing “.” (period) of the host names
Full nameServiceProtocolPortPriorityWeightHost domain controller)

If conditional forwards are used, make sure that all domain controllers that are resolvable are added with port openings and that they are reachable.

Other notes

  • Make sure that all clients where users from ForestA can reach the domain controllers published in DNS for ForestB.
  • Use PortQry to test all ports from all domain controllers.
    • Note that 88:UDP don’t give any response so that port cannot be tested.
  • This guide focus on establishing the trust between two forests. The following topics are out-of-scope and subject for a future post.
    • Port openings for client computers and resource services.
    • Configuration of permissions to authenticate through the trust.
    • Configuration of permissions to access resources in ForestB.

· 2 min read
Hannes Palmquist

I’ve seen numerous forums and blog articles trying to to change desktop wallpaper in windows, none of which works reliably. The most common solution is to set a new registry keys and then call user32.dll and the method UpdatePerUserSystemParameters and then quite literally hope that the desktop wallpaper changes. This is not always the case because Windows does not always honor the request to actually update the wallpaper settings when this method is called. The inner working of this method is not completely known and this method has never been advertised by Microsoft to be the way to change wallpaper.

However I came to the conclusion that it must exist a documented windows API to actually set a new wallpaper so I started looking into C# solutions to the same problem and sure thing it was a quite an easy procedure to change the desktop wallpaper. All I had to do was to define the type definition in Powershell and then pass the action values when calling the SystemParametersInfo method.

The below Powershell function will reliably change the desktop wallpaper and you also have the possibility to choose the style.

.GUID cfc2e719-67d8-4722-b594-3d198a1206c7
.FILENAME Set-DesktopWallpaper.ps1
function Set-DesktopWallpaper {
Sets a desktop background image
.PARAMETER PicturePath
Defines the path to the picture to use for background
Defines the style of the wallpaper. Valid values are, Tiled, Centered, Stretched, Fill, Fit, Span
Set-DesktopWallpaper -PicturePath "C:\pictures\picture1.jpg" -Style Fill
Set-DesktopWallpaper -PicturePath "C:\pictures\picture2.png" -Style Centered
Supports jpg, png and bmp files.

[ValidateSet('Tiled', 'Centered', 'Stretched', 'Fill', 'Fit', 'Span')]$Style = 'Fill'

$Definition = @"
[DllImport("user32.dll", EntryPoint = "SystemParametersInfo")]
public static extern int SystemParametersInfo(int uAction, int uParam, string lpvParam, int fuWinIni);

Add-Type -MemberDefinition $Definition -Name Win32SystemParametersInfo -Namespace Win32Functions
$Action_SetDeskWallpaper = [int]20
$Action_UpdateIniFile = [int]0x01
$Action_SendWinIniChangeEvent = [int]0x02

$HT_WallPaperStyle = @{
'Tiles' = 0
'Centered' = 0
'Stretched' = 2
'Fill' = 10
'Fit' = 6
'Span' = 22

$HT_TileWallPaper = @{
'Tiles' = 1
'Centered' = 0
'Stretched' = 0
'Fill' = 0
'Fit' = 0
'Span' = 0


Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name wallpaperstyle -Value $HT_WallPaperStyle[$Style]
Set-ItemProperty -Path 'HKCU:\Control Panel\Desktop' -Name tilewallpaper -Value $HT_TileWallPaper[$Style]
$null = [Win32Functions.Win32SystemParametersInfo]::SystemParametersInfo($Action_SetDeskWallpaper, 0, $PicturePath, ($Action_UpdateIniFile -bor $Action_SendWinIniChangeEvent))

· One min read
Hannes Palmquist

This function can be used to show the status of the Powershell profile scripts on the computer.

function Check-ProfileStatus {
($profile | Get-Member -MemberType NoteProperty).Name |
ForEach-Object {
$CurrentProfile = $_
$path = $profile.$_
[pscustomobject]([Ordered]@{Profile=$CurrentProfile;Path=$Path;Exists=(Test-Path $Path)})


· One min read
Hannes Palmquist

This function can be used to show the status of the Powershell profile scripts on the computer.

function Check-ProfileStatus {
($profile | Get-Member -MemberType NoteProperty).Name |
ForEach-Object {
$CurrentProfile = $_
$path = $profile.$_
[pscustomobject]([Ordered]@{Profile=$CurrentProfile;Path=$Path;Exists=(Test-Path $Path)})


· 3 min read
Hannes Palmquist

One thing that I have been struggling with from time to time is that the cmdlet Where-Object is incredibly slow to filter massive datasets. Lets say you have custom PSObject array with 50000 objects and 20 properties each. If you would cross referencing this table with another large dataset using the Where-Object cmdlet for each lookup it would take ages.

One day I had to do such a comparison and I was forced to come up with an alternate way of retrieving matches, so I developed a new function that is much faster than the Where-Object cmdlet.

Lets say you have a CSV-file containing 50000 rows and 20 columns with one column being a GUID. First you need to create an index:

$CSVIndex = $CSV.GUID.ToLower()

Once that is done the search can be started using the cmdlet below:

Fast-Search -Database $CSV -DatabaseIndex $CSVIndex -SearchString "A52FB-...-27422"

This is how the function is defined

function Fast-Search {

$Array = @()
$Index = 0

while ($Index -ne -1) {
$Index = system.array]::IndexOf($DatabaseIndex,$SearchString,$Index)
if ($Index -ne -1) {
$Array += $Index
$Array | ForEach-Object {

What makes the function so much faster you might ask..

First of, the key is that the dataset and the dataset index does not change order internally in the array as we assume that the item on Index=X is the same item both in the dataset and the dataset index.

So what we do is to search for the SearchString only in the dataset index, this in itself i much faster as it does not have to process as much data. Then we use the method IndexOf of the dataset index. This is also quite fast localizing the first row that matches the SearchString. Then we save that index in another array, lets call it the result array. When that is done we continue to search for the next match after the last result. This process is repeated until we reach the end of the dataset index.

We then have an array of indexes with the “index numbers” of the rows that match the SearchString. The Last thing we need to do is to collect the rows from the large dataset using array index targeting.


And last but not least, we return all the objects from the dataset.

In some cases I have had performance benefits by using this method by up to 80 times compared to using Where-Object. The drawback is that it isn’t a built-in cmdlet so you have to declare the function and also you need to build an index manually and last that you can only search in one property at a time, the index that you created. You should only use this method for the specific use cases when you have two very large datasets where the key isn’t unique. The function can also be developed further to accept two or more indexes in case you need to search for more than one property.

A similar solution is to use a hashtable as dataset index lookup table and simply store the index value as key and the whole object as the value of the key. This method is quite easy to use however it has one drawback; keys must be unique. So if you need to search a large dataset fast where you expect more than one result based on the index this function give you really fast searches.