jspωiki
INTERDOMAIN_TRUST_ACCOUNT

Overview#

The INTERDOMAIN_TRUST_ACCOUNT is a user-Account-Control Attribute Value (2048) that is a permit to TrustedDomain an account for a system domain that trusts other AD DOMAINs.

When a Trust is established a Secure connection is set up later by the Netlogon service in the trust AD DOMAIN using the trust information that was stored by the user manager. After the trust is established, the RESOURCE PDC Emulator FSMO Role changes the trusted AD DOMAIN object password. By default Every 7 days, the PDC Emulator FSMO Role will generate and set a new trust credentials, contact the PDC Emulator FSMO Role in the trusted domain, and update the Incoming trust credentials. All other Domain Controllers in the trusted AD DOMAIN will replicate the new credentials, but to ensure that the trust is not immediately broken until Replication occurs, the last credentials used will be retained in the SAM database until the next change.

INTERDOMAIN_TRUST_ACCOUNTs credentials cannot be used in a normal session Microsoft Active Directory logon process and attempts will show the error "0xc0000198, Status_Nologon_Interdomain Trust_Account"

In the special case of two-way trusts (like Parent-Child trusts or transitive AD Forest trusts between internal forests) the INTERDOMAIN_TRUST_ACCOUNT object on each side of the trust will maintain credentials per direction not by the Trusted Domain Objects

Unlike the WORKSTATION_TRUST_ACCOUNT, as used for Microsoft Windows Clients and GMSA accounts, INTERDOMAIN_TRUST_ACCOUNTs also have the user-Account-Control Attribute Value PASSWD_NOTREQD set. Since this Microsoft Active Directoryspecification does not fit well with most Password Policies and Auditors

More Information#

There might be more information for this subject on one of the following:
  • [#1] - Q128489: Inter-Domain Trust Account Passwords - based on information obtained 2015-06-11
  • [#2] - [MS-ADTS]: Essential Attributes of Interdomain Trust Accounts|https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/ac527b5b-0e88-48a1-8c73-497d40388d04|target='_blank'] - based on information obtained 2020-10-01