Remove a Trust

Applies To: Windows Server 2008

You can use Active Directory Domains and Trust to remove trusts.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Removing a trust

  • Using the Windows interface

  • Using a command line

To remove a trust using the Windows interface

  1. Open Active Directory Domains and Trusts. To open Active Directory Domains and Trusts, click Start, click Administrative Tools, and then click Active Directory Domains and Trusts.

  2. In the console tree, right-click the domain that contains the trust that you want to remove, and then click Properties.

  3. On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be removed, and then click Remove.

  4. Do one of the following, and then click OK:

    • Click No, remove the trust from the local domain only.

      If you select this option, we recommend that you repeat this procedure for the reciprocal domain.

    • Click Yes, remove the trust from both the local domain and the other domain.

      If you select this option, you must type a user account and password with administrative credentials for the reciprocal domain.

Additional considerations

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support.

  • It is not possible to revoke the default two-way, transitive trusts between domains in a forest. It is possible to delete explicitly created shortcut trusts.

Additional references

To remove a trust using a command line

  1. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  2. Type the following command, and then press ENTER:

    netdom trust <TrustingDomainName> /d:<TrustedDomainName> /remove /UserD:<User> /PasswordD:*<Password>
    
Parameter Description

netdom trust

Manages or verifies trust relationships between domains.

<TrustingDomainName>

Specifies the Domain Name System (DNS) name of the trusting domain in the trust that is being removed.

/d:

Specifies that the DNS domain name that follows is a trusted domain.

<TrustedDomainName>

Specifies the DNS name of the domain that is trusted in the trust that is being removed.

/remove

Specifies that a trust be removed.

<User>

Specifies the user account with administrative credentials for the reciprocal domain.

/UserD:

Specifies the user account that is used to make the connection with the trusted domain.

/PasswordD:*

The password of the user account that is specified by /UserD.

<Password>

Specifies the password for the user account with administrative credentials for the reciprocal domain.

To view the complete syntax for this command, and for information about entering user account information, at a command prompt, type the following command, and then press ENTER:

netdom trust | more 

Additional considerations

  • To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in AD DS, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, search for "using run as" in Help and Support. You can verify trusts for shortcut trusts, external trusts, and forest trusts but not realm trusts.

Additional references