Recipe 2.22 Removing a Trust

2.22.1 Problem

You want to remove a trust. This is commonly done when the remote domain has been decommissioned or access to it is no longer required.

2.22.2 Solution Using a graphical user interface
  1. Open the Active Directory Domains and Trusts snap-in.

  2. In the left pane, right-click on the trusting domain and select Properties.

  3. Click the Trusts tab.

  4. Click on the domain that is associated with the trust you want to remove.

  5. Click the Remove button.

  6. Click OK. Using a command-line interface
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Remove /verbose[RETURN]
   [/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]
   [/UserD:<TrustedDomainUser> /PasswordD:*] Using VBScript
' This code deletes a trust in the specified domain.
' Set to the DNS or NetBIOS name for the Windows 2000,
' Windows NT domain or Kerberos realm trust you want to delete.
strTrustName = "<TrustName>"
' Set to the DNS name of the source or trusting domain
strDomain    = "<DomainDNSName>"
' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objTrust = GetObject("LDAP://cn=System," & _
                         objRootDSE.Get("defaultNamingContext") )
objTrust.Delete "trustedDomain", "cn=" & strTrustName
set objTrustUser = GetObject("LDAP://cn=Users," & _
                             objRootDSE.Get("defaultNamingContext") )
objTrustUser.Delete "trustedDomain", "cn=" & strTrustName & "$"
WScript.Echo "Successfully deleted trust for " & strTrustName

2.22.3 Discussion

Trusts are stored in Active Directory as two objects; a trustedDomain object in the System container and a user object in the Users container. Both of these objects need to be removed when deleting a trust. The GUI and CLI solutions take care of that in one step, but in the VBScript example both objects needed to be explicitly deleted. It is also worth noting that each solution only deleted one side of the trust. If the trust was to a remote AD forest or NT 4.0 domain, you also need to delete the trust in that domain.

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List