6

I am trying to understand why and interdomain trust account would have an account value of 2080 (INTERDOMAIN_TRUST_ACCOUNT – PASSWD_NOTREQD).

During a routine audit, after we had recently set up a bidirectional trust with a sister company, one of our auditors asked the question: "What is this account and why does it not require a password?"

I have been digging through Microsoft's documentation and I have found quite a lot about how interdomain trust account passwords are reset, and several listings of all possibly userAccountControl values, but not a specific explanation for this value.

I currently suspect that this value is set to cover scenarios where a password update is initiated and fails. As the old password is stored in a separate registry key and a failed password update would leave an account on a trusting domain without a password.

I would appreciate it if anyone could confirm this suspicion or correct it. If anyone can point to more specific documentation that would also be appreciated.

David Broaddus
  • 73
  • 1
  • 4

1 Answers1

10

Trust secrets are represented by special attributes on interdomain trust accounts, indicating the direction of the trust it's securing

Inbound trust secrets are stored in trustAuthIncoming, on the "trusted" side of a trust

Outbound trust secrets are stored in trustAuthOutgoing, on the "trusting" end of a trust

In the special case of two-way trusts (like Parent-Child trusts or transitive forest trusts between internal forests) the INTERDOMAIN_TRUST_ACCOUNT object on each side of the trust will have both set.

Unlike regular computer accounts, on which the client computer is responsible for initiating password changes, trust secrets are maintained by the Domain Controller possessing the PDC Emulator FSMO role in the trusting domain.

Every 7 days, the PDCe will generate and set a new trust secret, contact the PDCe in the trusted domain, and update the Incoming trust secret. All other domain controllers in the trusted domain will replicate the new secret, but to ensure that the trust is not immediately broken until replication occurs, the last secret used will be retained in the SAM database until the next change.

Since this specification does not fit well with most password policies, and because of the fact that a unique password/secrect is maintained per direction not per TDO, the INTERDOMAIN_TRUST_ACCOUNT is exempt from having a password

Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95