Export (0) Print
Expand All

Trust Management Tasks

Updated: December 5, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

 

Task Permissions Required to Perform Task

Create a shortcut (cross-link) trust relationship

CC on the object cn=System, dc=<trusting domain> (to create objects of class Trusted-Domain) in the trusting domain

CC on the object cn=System, dc=<trusted domain> (to create objects of class Trusted-Domain) in the trusted domain

Create an external trust relationship

CC on the object cn=System, dc=<trusting domain> (to create objects of class Trusted-Domain) in the trusting domain

CC on the object cn=System, dc=<trusted domain> (to create objects of class Trusted-Domain) in the trusted domain

Create a non-Windows Kerberos realm trust relationship

CC on the object cn=System, dc=<trusting domain> (to create objects of class Trusted-Domain) in the domain creating the trust

Create an Outbound Forest Trust

CC on the object cn=System, dc=<forestRootDomain> (to create objects of class Trusted-Domain) in the trusting forest

CC on the object cn=System, dc=<forestRootDomain> (to create objects of class Trusted-Domain) in the trusted forest

Create an Inbound Forest Trust

(CC on the object cn=System, dc=<forestRootDomain> (to create objects of class Trusted-Domain) in the trusted forest

OR Extended right Create-Inbound-Forest-Trust on dc=<Domain> (root of domain directory partition) in the trusted forest)

AND (CC on the object cn=System, dc=<forestRootDomain> (to create objects of class Trusted-Domain) in the trusting forest)

Delete a shortcut (cross-link) trust relationship

SD on the object cn=<trusted domain name>,cn=System, dc=<trusting domain> in the trusting domain

SD on the object cn=<trusted domain name>,cn=System, dc=<trusted domain> in the trusted domain

Delete an external trust relationship

SD on the object cn=<trusted domain name>,cn=System, dc=<trusting domain> in the trusting domain

SD on the object cn=<trusted domain name>,cn=System, dc=<trusted domain> in the trusted domain

Delete a non-Windows Kerberos realm trust relationship

SD on the object cn=<trusted domain name>,cn=System, dc=<trusting domain> in the domain from where the trust is being deleted

Delete a forest trust

SD on the object cn=<trusted domain name>,cn=System, dc=<forestRootDomain> in the trusting forest

SD on the object cn=<trusted domain name>,cn=System, dc=<forestRootDomain> in the trusted forest

Verify that a trust is working properly

Have to be a member of local Administrators group on the machine from where the trust is being verified

Change the direction of a trust

WP on the object cn=<Trusted Domain object>, cn=System, dc=<TrustingDomain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Direction attribute

WP on the object cn=<Trusted Domain object>, cn=System, dc=<TrustedDomain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Direction attribute

Enable Name Suffix Routing (for a given suffix) in a forest

WP on the object cn=<Trusted Domain object>, cn=System, dc=<forestRootDomain> where <Trusted Domain object> represents the corresponding trust, to modify the ms-DS-Trust-Forest-Trust-Info attribute

Disable Name Suffix Routing (for a given suffix) in a forest

WP on the object cn=<Trusted Domain object>, cn=System, dc=<forestRootDomain> where <Trusted Domain object> represents the corresponding trust, to modify the ms-DS-Trust-Forest-Trust-Info attribute

Add/Remove an exception to a name suffix for a given forest trust

WP on the object cn=<Trusted Domain object>, cn=System, dc=<forestRootDomain> where <Trusted Domain object> represents the corresponding trust, to modify the ms-DS-Trust-Forest-Trust-Info attribute

Reset the trust passwords shared by a trust-pair

WP on the object cn=<Trusted Domain object>, cn=System, dc=<trusting and trusted domain> where <Trusted Domain object> represents the corresponding trust, to modify the Initial-Auth-Incoming, Initial-Auth-Outgoing, Trust-Auth-Incoming and Trust-Auth-Outgoing attributes

Force the removal of a trust

DC on the object cn=System, dc=<trusting domain> (to delete objects of class Trusted-Domain) in the domain that wants to delete the trust

Enable/Disable SID History on an outbound forest trust

WP on the object cn=<Trusted Domain object>, cn=System, dc=<forestRootDomain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Attributes attribute

Enable/Disable SID Filtering

WP on the object cn=<Trusted Domain object>, cn=System, dc=<Domain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Attributes attribute

Enable Selective Authentication on an outbound forest/external trust

WP on the object cn=<Trusted Domain object>, cn=System, dc=<Domain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Attributes attribute

Enable/Disable placing of Name Suffix (Top Level Names) information on a realm trust

WP on the object cn=<Trusted Domain object>, cn=System, dc=<Domain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Attributes attribute

Add/remove top-level names from a realm trust

WP on the object cn=<Trusted Domain object>, cn=System, dc=<forestRootDomain> where <Trusted Domain object> represents the corresponding trust, to modify the ms-DS-Trust-Forest-Trust-Info attribute

Add/remove top-level name exclusions from a realm trust

WP on the object cn=<Trusted Domain object>, cn=System, dc=<forestRootDomain> where <Trusted Domain object> represents the corresponding trust, to modify the ms-DS-Trust-Forest-Trust-Info attribute

Modify the transitivity of a realm-trust

WP on the object cn=<Trusted Domain object>, cn=System, dc=<Domain> where <Trusted Domain object> represents the corresponding trust, to modify the Trust-Attributes attribute

* All trust management tools in Active Directory require that an administrator performing any trust management task using these tools be a member of the BuiltIn Admins group in the domain.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft