IT Operations & Cybersecurity Encyclopedia

Active Directory trusts security guide

Active Directory trusts can extend authentication and authorization across domains, forests, acquisitions, legacy environments, and business partners. They are useful, but they also create identity paths that must be reviewed, documented, monitored, and cleaned up when no longer needed.

Forest trusts, domain trusts, direction, transitivity, SID filtering, and selective authenticationPrivileged access, legacy domains, mergers, applications, service accounts, and audit evidenceTrust cleanup, monitoring, cyber insurance, and identity risk review

Why it matters

Treat trusts as identity risk paths

A trust is not just a directory setting. It changes which identities may be recognized across a boundary and which resources may become reachable through group membership, ACLs, applications, or administrative paths. Old migration trusts and acquisition trusts can quietly remain long after the business need has ended.

A professional trust review maps each trust to its business purpose, direction, transitivity, authentication scope, SID filtering, resource dependencies, privileged access impact, monitoring, and retirement plan. The goal is to avoid invisible access paths while preserving legitimate application and business workflows.

Practical rule: Do not keep an Active Directory trust unless the owner, business purpose, direction, authentication scope, resource impact, monitoring, and review date are documented.

Review scope

What an AD trust review should cover

Trust inventory

Identify every trust, direction, type, transitivity, owner, purpose, and current business dependency.

Authentication scope

Review selective authentication, SID filtering, name suffix routing, and cross-forest logon behavior.

Privileged paths

Check whether trusted identities can reach privileged groups, admin shares, servers, applications, or sensitive data.

Network and DNS

Validate DNS forwarding, firewall rules, DC reachability, routing, and monitoring dependencies.

Legacy cleanup

Retire migration, merger, application, and vendor trusts that no longer have a clear owner.

Evidence

Preserve trust exports, owner approvals, risk decisions, remediation tickets, and monitoring evidence.

Review matrix

Active Directory trust decision matrix

AreaWhat to verifyQuestions to answerEvidence
Forest trustTwo forests need broad identity interoperability.Document business owner, direction, selective authentication, SID filtering, DNS, and privileged impact.Can trusted users reach sensitive resources?
Migration trustA trust was created for migration or consolidation.Set an expiration plan, track remaining dependencies, and remove when migration is complete.What still depends on this trust?
Legacy application dependencyAn application authenticates users across domains or forests.Map users, groups, service accounts, DNS, and resource ACLs before changing the trust.Who owns the application validation?
Partner or vendor accessExternal identity needs access to internal resources.Prefer narrow scope, strong monitoring, explicit owner approval, and periodic recertification.Is a trust the safest access model?
Unknown trustNo current owner can explain the trust.Investigate logs and dependencies, restrict where possible, and create a retirement or risk acceptance plan.Why is this trust still active?

Step-by-step review

AD trust security review runbook

1

Export trust inventory

Collect trust names, directions, types, transitivity, attributes, name suffix routing, validation status, and creation context.

2

Map business dependencies

Identify applications, file shares, service accounts, groups, administrators, DNS, and network rules that depend on each trust.

3

Review security settings

Check SID filtering, selective authentication, privileged access paths, cross-forest groups, and resource ACLs.

4

Validate monitoring

Review authentication logs, failed access, group changes, privileged activity, and alert ownership.

5

Remediate and retire

Remove stale trusts, narrow broad access, document exceptions, and test business workflows after changes.

6

Save evidence

Store exports, approvals, risk notes, tickets, before/after results, and next review dates.

Common risks

Common AD trust security mistakes

Trusts left after migration

Temporary migration trusts can become permanent attack paths if not retired.

No owner

Trusts without owners are difficult to approve, monitor, or remove safely.

Broad authentication

Authentication scope should be reviewed so trusted identities do not reach more resources than intended.

Privileged path missed

Nested groups and resource ACLs can create indirect administrative access.

DNS dependency ignored

Trust health often depends on DNS, routing, firewall rules, and domain controller reachability.

No logging review

Cross-domain authentication and privileged changes need monitoring and evidence.

Related support

Where IT Perfection can help

IT Perfection can help review and document AD trusts through managed IT, Microsoft infrastructure support, DNS review, server administration, monitoring, and migration planning.

For identity security, privileged access, M&A risk, cyber insurance, and audit concerns, OC Security Audit can validate trust risk through cybersecurity audit and risk assessment services.

Created by Ali Hassani, CISO

Active Directory trust security perspective from Ali Hassani

Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.

This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.

Trusts should be visible, justified, and monitored

Ali Hassani, CISO and IT infrastructure consultant, has 25+ years of experience across Active Directory, Microsoft infrastructure, identity security, mergers and migrations, compliance auditing, and managed IT. AD trusts should be treated as controlled identity pathways.

FAQ

Active Directory trusts FAQ

What is an Active Directory trust?

A trust allows identities from one domain or forest to be recognized by another domain or forest according to the trust configuration.

Why are old migration trusts risky?

They may continue allowing authentication or access long after the migration business need has ended.

What should be reviewed for each trust?

Review owner, purpose, direction, transitivity, authentication scope, SID filtering, DNS, network rules, resource access, and monitoring.

Should every trust be removed?

No. Some trusts are legitimate, but every trust should have a current business purpose and review evidence.

Can IT Perfection help review AD trusts?

Yes. IT Perfection can help inventory trusts, map dependencies, coordinate cleanup, and document ongoing review.