Windows Security Log Event ID 620

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryPolicy Change
Type Success
Corresponding events
in Windows 2008
and Vista

620: Trusted Domain Information Modified

On this page

This event varies depending on the OS.


It appears this event only gets logged upon trust additions, not removals. A better set of events to use are 610 and 611. The DC logs this event for both new trusted and trusting domains. There is no way to make a distinction.


Logged when an existing trust's properties are modified. For instance, turning on transitivity. Applies to trusted and trusting trust relationships.
See also event IDs 610 and 611.

Free Security Log Resources by Randy

Description Fields in 620

  • Trusted Domain Information Modified:
  • Domain Name: %1
  • Domain ID: %2
  • Modified By:
  • User Name: %3
  • Domain:  %4
  • Logon ID: %5

     Windows Server 2003 adds the following:

  • Trust Type: %6
  • Trust Direction: %7
  • Trust Attributes: %8
  • SID Filtering: %9


Setup PowerShell Audit Log Forwarding in 4 Minutes


Examples of 620


Trusted Domain Information Modified:
Domain Name:Europe
Domain ID:-
Modified By:
User Name:administrator
Logon ID:(0x0,0x804C2)


Trusted Domain Information Modified:
Domain Name: -
Domain ID: -
Modified By:
User Name: administrator
Domain: ELM
Logon ID: (0x0,0x1281A)
Trust Type: -
Trust Direction: -
Trust Attributes: 0
SID Filtering: Disabled

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources