Enumerate cross-trust DACL control relationships

cross_trust_dacls.ps1

$Domain = "dev.testlab.local"
$DomainSid = Get-DomainSid $Domain
Get-DomainObjectAcl -Domain $Domain -ResolveGUIDs -LDAPFilter '(|(objectclass=groupPolicyContainer)(objectclass=group)(objectclass=user)(objectclass=domain))' | ? {
    ($_.AceType -match 'AccessAllowed') -and `
    ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and `
    ($_.SecurityIdentifier -notmatch $DomainSid) -and `
    ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')
} | % {
    $_ | Add-Member Noteproperty 'PrincipalDN' $(Convert-ADName $_.SecurityIdentifier -OutputType DN)
    $_
}