Recipe 2.22 Removing a Trust
2.22.1 Problem
You want to remove a
trust.
This is commonly done when the remote domain has been decommissioned
or access to it is no longer required.
2.22.2 Solution
2.22.2.1 Using a graphical user interface
Open the Active Directory Domains and Trusts
snap-in. In the left pane, right-click on the trusting domain and select
Properties. Click the Trusts tab. Click on the domain that is associated with the trust you want to
remove. Click the Remove button. Click OK.
2.22.2.2 Using a command-line interface
> netdom trust <TrustingDomain> /Domain:<TrustedDomain> /Remove /verbose[RETURN]
[/UserO:<TrustingDomainUser> /PasswordO:*][RETURN]
[/UserD:<TrustedDomainUser> /PasswordD:*]
2.22.2.3 Using VBScript
' This code deletes a trust in the specified domain.
' ------ SCRIPT CONFIGURATION ------
' Set to the DNS or NetBIOS name for the Windows 2000,
' Windows NT domain or Kerberos realm trust you want to delete.
strTrustName = "<TrustName>"
' Set to the DNS name of the source or trusting domain
strDomain = "<DomainDNSName>"
' ------ END CONFIGURATION ---------
set objRootDSE = GetObject("LDAP://" & strDomain & "/RootDSE")
set objTrust = GetObject("LDAP://cn=System," & _
objRootDSE.Get("defaultNamingContext") )
objTrust.Delete "trustedDomain", "cn=" & strTrustName
set objTrustUser = GetObject("LDAP://cn=Users," & _
objRootDSE.Get("defaultNamingContext") )
objTrustUser.Delete "trustedDomain", "cn=" & strTrustName & "$"
WScript.Echo "Successfully deleted trust for " & strTrustName
2.22.3 Discussion
Trusts are stored in Active Directory as two objects; a
trustedDomain object in the
System container and a user
object in the Users container. Both of these
objects need to be removed when deleting a trust. The GUI and CLI
solutions take care of that in one step, but in the VBScript example
both objects needed to be explicitly deleted. It is also worth noting
that each solution only deleted one side of the trust. If the trust
was to a remote AD forest or NT 4.0 domain, you also need
to delete the trust in that domain.
|