This event is logged for modifications to trust relationships connecting to this domain. While the description says "Trusted" this event applies to both trusted and trusting relationships as documented by Trust Information.
Subject:
The ID and logon session of the user that excercised modified the trust.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Trusted Domain:
The other domain in this trust relationship which despite the word "Trusted" may be a trusting or trusted domain or both. See Trust Information.
- Domain Name: the DNS name of the domain
- Domain ID: the pre-Win2k (NetBIOS) name of the domain
New Trust Information:
All the information that defines the type of trust after this change, whether it is one way or mutual, transitivity, etc.
- Trust Type:
| 1 |
TRUST_TYPE_DOWNLEVEL |
The other domain is pre-Win2k (NTLM only supported) |
| 2 |
TRUST_TYPE_UPLEVEL |
The other domain is Win2k or later (Windows Kerberos supported) |
| 3 |
TRUST_TYPE_MIT |
Other domain is actually an MIT Kerberos Realm (probably UNIX) |
| 4 |
TRUST_TYPE_DCE |
The trusted domain is a DCE realm |
- Trust Direction:
| Disabled |
0x0 |
| Inbound |
0x1 |
| Outbound |
0x2 |
| Bidirectional |
0x3 |
- Trust Attributes: A bitwise value compromised of any of the following
- TRUST_ATTRIBUTE_NON_TRANSITIVE 1
- TRUST_ATTRIBUTE_UPLEVEL_ONLY 2
- TRUST_ATTRIBUTE_FILTER_SIDS 4
- TRUST_ATTRIBUTE_FOREST_TRANSITIVE 8
- SID Filtering: Enabled (always enabled for domains within the same forest). http://technet2.microsoft.com/windowsserver/en/library/01e5cf71-b317-4967-82a2-75b7b632b7461033.mspx?mfr=true