Trust Management Tasks
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Task | Permissions Required to Perform Task |
---|---|
Create a shortcut (cross-link) trust relationship |
CC on the object cn=System, dc=<trusting domain> (to create objects of class Trusted-Domain) in the trusting domain CC on the object cn=System, dc=<trusted domain> (to create objects of class Trusted-Domain) in the trusted domain |
Create an external trust relationship |
CC on the object cn=System, dc=<trusting domain> (to create objects of class Trusted-Domain) in the trusting domain CC on the object cn=System, dc=<trusted domain> (to create objects of class Trusted-Domain) in the trusted domain |
Create a non-Windows Kerberos realm trust relationship |
CC on the object cn=System, dc=<trusting domain> (to create objects of class Trusted-Domain) in the domain creating the trust |
Create an Outbound Forest Trust |
CC on the object cn=System, dc=<forestRootDomain> (to create objects of class Trusted-Domain) in the trusting forest CC on the object cn=System, dc=<forestRootDomain> (to create objects of class Trusted-Domain) in the trusted forest |
Create an Inbound Forest Trust |
(CC on the object cn=System, dc=<forestRootDomain> (to create objects of class Trusted-Domain) in the trusted forest OR Extended right Create-Inbound-Forest-Trust on dc=<Domain> (root of domain directory partition) in the trusted forest) AND (CC on the object cn=System, dc=<forestRootDomain> (to create objects of class Trusted-Domain) in the trusting forest) |
Delete a shortcut (cross-link) trust relationship |
SD on the object cn=<trusted domain name>,cn=System, dc=<trusting domain> in the trusting domain SD on the object cn=<trusted domain name>,cn=System, dc=<trusted domain> in the trusted domain |
Delete an external trust relationship |
SD on the object cn=<trusted domain name>,cn=System, dc=<trusting domain> in the trusting domain SD on the object cn=<trusted domain name>,cn=System, dc=<trusted domain> in the trusted domain |
Delete a non-Windows Kerberos realm trust relationship |
SD on the object cn=<trusted domain name>,cn=System, dc=<trusting domain> in the domain from where the trust is being deleted |
Delete a forest trust |
SD on the object cn=<trusted domain name>,cn=System, dc=<forestRootDomain> in the trusting forest SD on the object cn=<trusted domain name>,cn=System, dc=<forestRootDomain> in the trusted forest |
Verify that a trust is working properly |
Have to be a member of local Administrators group on the machine from where the trust is being verified |
Change the direction of a trust |
WP on the object cn=<Trusted Domain object>, cn=System, dc=<TrustingDomain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Direction attribute WP on the object cn=<Trusted Domain object>, cn=System, dc=<TrustedDomain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Direction attribute |
Enable Name Suffix Routing (for a given suffix) in a forest |
WP on the object cn=<Trusted Domain object>, cn=System, dc=<forestRootDomain> where <Trusted Domain object> represents the corresponding trust, to modify the ms-DS-Trust-Forest-Trust-Info attribute |
Disable Name Suffix Routing (for a given suffix) in a forest |
WP on the object cn=<Trusted Domain object>, cn=System, dc=<forestRootDomain> where <Trusted Domain object> represents the corresponding trust, to modify the ms-DS-Trust-Forest-Trust-Info attribute |
Add/Remove an exception to a name suffix for a given forest trust |
WP on the object cn=<Trusted Domain object>, cn=System, dc=<forestRootDomain> where <Trusted Domain object> represents the corresponding trust, to modify the ms-DS-Trust-Forest-Trust-Info attribute |
Reset the trust passwords shared by a trust-pair |
WP on the object cn=<Trusted Domain object>, cn=System, dc=<trusting and trusted domain> where <Trusted Domain object> represents the corresponding trust, to modify the Initial-Auth-Incoming, Initial-Auth-Outgoing, Trust-Auth-Incoming and Trust-Auth-Outgoing attributes |
Force the removal of a trust |
DC on the object cn=System, dc=<trusting domain> (to delete objects of class Trusted-Domain) in the domain that wants to delete the trust |
Enable/Disable SID History on an outbound forest trust |
WP on the object cn=<Trusted Domain object>, cn=System, dc=<forestRootDomain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Attributes attribute |
Enable/Disable SID Filtering |
WP on the object cn=<Trusted Domain object>, cn=System, dc=<Domain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Attributes attribute |
Enable Selective Authentication on an outbound forest/external trust |
WP on the object cn=<Trusted Domain object>, cn=System, dc=<Domain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Attributes attribute |
Enable/Disable placing of Name Suffix (Top Level Names) information on a realm trust |
WP on the object cn=<Trusted Domain object>, cn=System, dc=<Domain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Attributes attribute |
Add/remove top-level names from a realm trust |
WP on the object cn=<Trusted Domain object>, cn=System, dc=<forestRootDomain> where <Trusted Domain object> represents the corresponding trust, to modify the ms-DS-Trust-Forest-Trust-Info attribute |
Add/remove top-level name exclusions from a realm trust |
WP on the object cn=<Trusted Domain object>, cn=System, dc=<forestRootDomain> where <Trusted Domain object> represents the corresponding trust, to modify the ms-DS-Trust-Forest-Trust-Info attribute |
Modify the transitivity of a realm-trust |
WP on the object cn=<Trusted Domain object>, cn=System, dc=<Domain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Attributes attribute |
* All trust management tools in Active Directory require that an administrator performing any trust management task using these tools be a member of the BuiltIn Admins group in the domain.