Interdomain trust account

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Account created when a trust relationship is established between two domains. To implement the trust, an interdomain trust account is created in the directory db of the trustED domain. The account is created when the administrator of the trusted domain defines the trusting domain using the admin application User Manager for Domains. The account has the USER_INTERDOMAIN_TRUST_ACCOUNT bit set which identifies it as only used for trust relationships. The account is hidden and cannot be modified. The password and account is used when establishing a session with the trustING domain. The account is only viewable via registry on the PDC of the trustED domain: HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Accounts\Users\Names\<trustEDdomainname>$.

The Windows NT Resource Kit utility netdom , netdom.exe, can be used to restore damaged trust relationships. The Windows NT Resource Kit utility nltest , nltest.exe, can be used to restore damaged trust relationships. See Q158148 . nltest is a niffty tool to reveal how many bad-password attempts have been racked up by an account.

Background on Inter-Domain Trust Account Passwords is found in: Q128489.

Netdom can be used to add NT workstations or stand-alone servers to a domain. It will create the computer account, if one doesn't already exist, if you use the command with administrator credentials. The syntax:

NETDOM /Domain:domaintoaddPCinto /user:administrator /password:adminpassword MEMBER computername /JOINDOMAIN

If you want to create a computer account but don't won't to add the workstation to the domain until later, don't use the /JOINDOMAIN parm:

NETDOM /Domain:domaintoaddPCinto /user:administrator /password:adminpassword MEMBER computername /ADD

More information about NETDOM is available in the Microsoft Knowledge Base article Q158148 .

Featured Links