Viewing the Trusts for a Domain

Viewing the Trusts for a Domain


You want to view the trusts that have been configured for a domain.


Using a graphical user interface
  1. Open the Active Directory Domains and Trusts snap-in (domain.msc).

  2. In the left pane, right-click the domain you want to view and select Properties.

  3. Click on the Trusts tab.

Using a command-line interface

To enumerate domain trusts using the netdom utility, use the following syntax:

	> netdom query trust /Domain:<DomainDNSName>

You can also use nltest, available from the Windows Support Tools as follows:

	> nltest /domain_trusts /All_Trusts

Using VBScript
	strComputer = "."
	Set objWMIService = GetObject("winmgmts:" _
	    & "{impersonationLevel=impersonate}!\\" & _
	    strComputer &  "\root\MicrosoftActiveDirectory")

	Set trustList = objWMIService.ExecQuery _
	    ("Select * from  

	For each trust in trustList
	    Wscript.Echo "Trusted domain: " &  trust.TrustedDomain
	    Wscript.Echo "Trust direction: " &  trust.TrustDirection
	    Wscript.Echo "(1: inbound, 2: outbound, 3: two-way)"
	    Wscript.Echo "Trust type: " &  trust.TrustType
	    Wscript.Echo "(1: downlevel, 2: uplevel, 3: realm, 4: DCE)"
	    Wscript.Echo "Trust attributes: " &  trust.TrustAttributes
	    Wscript.Echo "(1: nontransitive, 2: up-level clients only,"
	    Wscript.Echo " 4: tree parent, 8: tree root)"
	    Wscript.Echo "Trusted domain controller name: " &  trust.TrustedDCName

If the domain is configured with a two-way external trust with the barcelona.corp domain, running this script from would produce the following output:

	Microsoft (R) Windows Script Host Version 5.6
	Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

	Trusted domain: barcelona.corp
	Trust direction: 3
	(1: inbound, 2: outbound, 3: two-way)
	Trust type: 2
	(1: downlevel, 2: uplevel, 3: realm, 4: DCE)
	Trust attributes: 4
	(1: nontransitive, 2: up-level clients only,
	4: tree parent, 8: tree root)
	Trusted domain controller name: \\


Using a graphical user interface

You can view the properties of a particular trust by clicking on a trust and clicking the Properties button.

Using a command-line interface

You can include the /Direct switch with netdom if you want to view only direct-trust relationships. If you don't use /Direct, implicit trusts that occur due to transitivetrust relationships will also be listed.

The ntlest command can take the following additional switches to modify the default behavior of the /domain_trusts switch:


Returns only the domain that the computer account you're running nltest from belongs to


Returns domains that are in the same forest as the primary domain


Returns only those domains that are trusted by the primary domain


Returns only those domains that trust the primary domain


Displays domain SIDs and GUIDs

Using VBScript

The script listed in this recipe uses the TrustMon WMI provider, which is only available in Windows Server 2003. For Windows 2000 domain controllers, you can use the following script as an alternative:

	' This code prints the  
trusts for the specified domain.
	strDomain = "<DomainDNSName>" ' e.g.
	' ------ END CONFIGURATION ---------

	' Trust Direction Constants taken from NTSecAPI.h
	set objTrustDirectionHash = CreateObject("Scripting.Dictionary")
	objTrustDirectionHash.Add "DIRECTION_DISABLED", 0
	objTrustDirectionHash.Add "DIRECTION_INBOUND", 1
	objTrustDirectionHash.Add "DIRECTION_OUTBOUND", 2
	objTrustDirectionHash.Add "DIRECTION_BIDIRECTIONAL", 3

	' Trust Type Constants - taken from NTSecAPI.h
	set objTrustTypeHash = CreateObject("Scripting.Dictionary")
	objTrustTypeHash.Add "TYPE_DOWNLEVEL", 1
	objTrustTypeHash.Add "TYPE_UPLEVEL", 2
	objTrustTypeHash.Add "TYPE_MIT", 3
	objTrustTypeHash.Add "TYPE_DCE", 4

	' Trust Attribute Constants - taken from NTSecAPI.h
	set objTrustAttrHash = CreateObject("Scripting.Dictionary")
	objTrustAttrHash.Add "ATTRIBUTES_UPLEVEL_ONLY", 2
	objTrustAttrHash.Add "ATTRIBUTES_WITHIN_FOREST", 32

	set objRootDSE = GetObject("LDAP://" &  strDomain &  "/RootDSE")
	set objTrusts = GetObject("LDAP://cn=System," &  _
	                           objRootDSE.Get("defaultNamingContext") )

	objTrusts.Filter = Array("trustedDomain")
	Wscript.Echo "Trusts for " &  strDomain &  ":"

	for each objTrust in objTrusts

	  for each strFlag In objTrustDirectionHash.Keys
	     if objTrustDirectionHash(strFlag) = objTrust.Get("trustDirection") then
	         strTrustInfo = strTrustInfo &  strFlag &  " "
	     end If

	  for each strFlag In objTrustTypeHash.Keys
	     if objTrustTypeHash(strFlag) = objTrust.Get("trustType") then
	         strTrustInfo = strTrustInfo &  strFlag &  " "
	     end If

	  for each strFlag In objTrustAttrHash.Keys
	     if objTrustAttrHash(strFlag) = objTrust.Get("trustAttributes") then
	        strTrustInfo = strTrustInfo &  strFlag &  " "
	     end If

	  WScript.Echo " " &  objTrust.Get("trustPartner") &  " : " &  strTrustInfo
	  strTrustInfo = ""

See Also

The "Introduction" of this chapter for attributes of trustedDomain objects, Recipe 2.20 for another way to query trusts programmatically, MS KB 228477 (How to Determine Trust Relationship Configurations), and MSDN: TRUSTED_DOMAIN_ INFORMATION_EX

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows