Understanding Windows NT trust relationships

Windows NT trust relationships may be one of the most misunderstood concepts in Windows NT. In this article, Brien Posey explains trust relationships in plain English.

Judging by some of the e-mail that I get, it’s fair to say that Windows NT trust relationships are one of the most misunderstood concepts in Windows NT. In this article, I’ll explain trust relationships in plain English to help you understand them better.

What’s a trust relationship?
A trust relationship is nothing more than an agreement between two Windows NT domains. This agreement allows users from one domain to use resources in a different domain, as long as the Administrator allows them to do so. For example, a trust relationship might be used to allow users in domain B to use a printer or a mail server that’s located in domain A.

Trusting a domain
The domain that has the resource that the other domain wants to use is called the trusting domain. This is the case because in the situation where someone in domain B wants to use a printer in domain A, the Administrator of domain A must agree to trust users from domain B. Therefore, domain A is doing the trusting.

The trusted domain
The domain containing users who need access to the resource in a foreign domain is called the trusted domain. This is the case because they are trusted by the Administrator of the resource domain. If you have trouble remembering the difference, just keep in mind that the trusted domain always contains users. One silly, but effective, way to remember this is that the word trusted ends in the letters ed. Ed could be a username within a trusted domain.

Two-way trusts
If you have a situation in which users in both domains need to access resources in both domains, you can establish a two-way trust. By doing so, users in either domain may access resources in either domain. For example, a user in domain A could access resources in domain A and domain B. Likewise, a user in domain B could access resources in domain B and domain A.

Transitive trusts
Transitive trusts—in which more than two domains are involved—are trust relationships passed between domains. An example of a transitive trust is a situation in which domain A trusts domain B. Domain B trusts domain C. Therefore, through transitive trusts, domain A trusts domain C.

In Windows NT 4, transitive trusts don’t exist. It’s still possible to create such an arrangement, but domain A would have to establish separate trust relationships with domain B and domain C. In Windows 2000, transitive trusts will finally be supported. Therefore, in Windows 2000 environments, be careful who you trust, because you never know who they trust.

What about security?
The thought of opening your domain up to another domain may sound scary at first, but remember that as an Administrator, you’re always in control. Simply establishing a trust relationship doesn’t give anyone rights to anything. For anyone from the foreign domain to access a resource on your system, you must grant them rights to do so, in the same way that you would grant rights to a user within your domain.

In this article, I’ve tried to simplify the concept of Windows NT trusts. I also explained the various types of trusts and how they work.

Brien M. Posey is an MCSE and works as a freelance technical writer and as a network engineer for the Department of Defense. If you’d like to contact Brien, send him an e-mail. (Because of the large volume of e-mail he receives, it's impossible for him to respond to every message. However, he does read them all.)

The authors and editors have taken care in preparation of the content contained herein, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks

Free Newsletters, In your Inbox