Delen via LsarDeleteTrustedDomain (Opnum 41)

The LsarDeleteTrustedDomain method is invoked to delete a trusted domain object (TDO).

 NTSTATUS LsarDeleteTrustedDomain(
   [in] LSAPR_HANDLE PolicyHandle,
   [in] PRPC_SID TrustedDomainSid

PolicyHandle: An RPC context handle obtained from either LsarOpenPolicy or LsarOpenPolicy2.

TrustedDomainSid: A security descriptor of the TDO to be deleted.

Return Values: The following is a summary of the return values that an implementation MUST return, as specified by the message processing that follows.

Return value/code




The request was successfully completed.



The caller does not have the permissions to perform this operation.



The specified TDO does not exist.



One or more of the supplied parameters was invalid.



PolicyHandle is not a valid handle.



The Active Directory service was not available on the server.



The caller's quota for the maximum allowed number of deleted TDOs is exceeded.


If Active Directory is not running on this machine, the server MUST return STATUS_DIRECTORY_SERVICE_REQUIRED.

If the number of deleted TDOs that were created by the caller through the control access right Create-Inbound-Trust (defined in [MS-ADTS] section exceeds the value in the msDS-PerUserTrustTombstonesQuota attribute of the domain naming context (domain NC) root object (defined in [MS-ADTS] section, the server MUST return STATUS_USER_DELETE_TRUST_QUOTA_EXCEEDED. For the syntax of the msDS-PerUserTrustTombstonesQuota attribute, refer to [MS-ADA2] section 2.424. The server MUST enforce the quota check only for the TDOs created by control access right Create-Inbound-Trust and if the caller is the creator of that TDO.

This message takes two arguments:

PolicyHandle: An open handle to the policy object. If the handle is not a valid context handle to the policy object or PolicyHandle.HandleType does not equal "Policy", the server MUST return STATUS_INVALID_HANDLE. The server MUST verify that PolicyHandle grants access as specified in section with RequiredAccess set to TRUSTED_QUERY_DOMAIN_NAME | DELETE.

TrustedDomainSid: The SID of a TDO to be deleted. The server MUST verify that the caller has supplied a valid domain SID for this parameter and fail the request with STATUS_INVALID_PARAMETER if the check fails. The server MUST verify that a TDO with this SID exists in its policy database and fail the request with STATUS_NO_SUCH_DOMAIN otherwise.

 If the server is a read-only domain controller, it MUST return an error.<99>

The server MUST also check whether a secret with name "G$$<Trusted Domain Name>" exists or not. If it exists, the server MUST delete that secret along with the trusted domain.

The server MUST also check whether an interdomain trust account with name "<Trusted Domain NetBIOS Name>$" exists. If it exists, the server MUST delete that account along with the trusted domain.