I am trying to understand why and interdomain trust account would have an account value of 2080 (INTERDOMAIN_TRUST_ACCOUNT – PASSWD_NOTREQD).
During a routine audit, after we had recently set up a bidirectional trust with a sister company, one of our auditors asked the question: "What is this account and why does it not require a password?"
I have been digging through Microsoft's documentation and I have found quite a lot about how interdomain trust account passwords are reset, and several listings of all possibly userAccountControl values, but not a specific explanation for this value.
I currently suspect that this value is set to cover scenarios where a password update is initiated and fails. As the old password is stored in a separate registry key and a failed password update would leave an account on a trusting domain without a password.
I would appreciate it if anyone could confirm this suspicion or correct it. If anyone can point to more specific documentation that would also be appreciated.
Best Answer
Trust secrets are represented by special attributes on interdomain trust accounts, indicating the direction of the trust it's securing
Inbound trust secrets are stored in
trustAuthIncoming
, on the "trusted" side of a trustOutbound trust secrets are stored in
trustAuthOutgoing
, on the "trusting" end of a trustIn the special case of two-way trusts (like Parent-Child trusts or transitive forest trusts between internal forests) the
INTERDOMAIN_TRUST_ACCOUNT
object on each side of the trust will have both set.Unlike regular computer accounts, on which the client computer is responsible for initiating password changes, trust secrets are maintained by the Domain Controller possessing the PDC Emulator FSMO role in the trusting domain.
Every 7 days, the PDCe will generate and set a new trust secret, contact the PDCe in the trusted domain, and update the Incoming trust secret. All other domain controllers in the trusted domain will replicate the new secret, but to ensure that the trust is not immediately broken until replication occurs, the last secret used will be retained in the SAM database until the next change.
Since this specification does not fit well with most password policies, and because of the fact that a unique password/secrect is maintained per direction not per TDO, the
INTERDOMAIN_TRUST_ACCOUNT
is exempt from having a password