2.2.1.5 LSA Trust Record Flags

Article
04/23/2024

This section provides a cross reference of Flag values with associated descriptions of the Forest record types that use such Flag values.<17>

Note Some flag values are reused for different forest record types. See the Meaning column for more information.

Value	Meaning
LSA_TLN_DISABLED_NEW 0x00000001	The top-level name trust record is disabled during initial creation. Note This flag MUST be used with forest trust records of type ForestTrustTopLevelName or ForestTrustTopLevelNameEx only (section 2.2.7.21).
LSA_TLN_DISABLED_ADMIN 0x00000002	The top-level name trust record is disabled by the Domain administrator. Note This flag MUST be used with forest trust records of type ForestTrustTopLevelName or ForestTrustTopLevelNameEx only (section 2.2.7.21).
LSA_TLN_DISABLED_CONFLICT 0x00000004	The top-level name trust record is disabled due to a conflict. Note This flag MUST be used with forest trust records of type ForestTrustTopLevelName or ForestTrustTopLevelNameEx only (section 2.2.7.21).
LSA_SID_DISABLED_ADMIN 0x00000001	The Domain information trust record is disabled by the domain administrator. Note This flag MUST be used with a forest trust record of type ForestTrustDomainInfo only (section 2.2.7.24).
LSA_SID_DISABLED_CONFLICT 0x00000002	The domain information trust record is disabled due to a conflict. Note This flag MUST be used with a forest trust record of type ForestTrustDomainInfo only (section 2.2.7.24).
LSA_NB_DISABLED_ADMIN 0x00000004	The domain information trust record is disabled by the domain administrator. Note This flag MUST be used with a forest trust record of type ForestTrustDomainInfo only (section 2.2.7.24).
LSA_NB_DISABLED_CONFLICT 0x00000008	The domain information trust record is disabled due to a conflict. Note This flag MUST be used with a forest trust record of type ForestTrustDomainInfo only (section 2.2.7.24).
LSA_FTRECORD_DISABLED_REASONS 0x0000FFFF	The domain information trust record is disabled. Note This set of flags is reserved; for current and future reasons, the trust is disabled.
LSA_SCANNER_INFO_DISABLE_AUTH_TARGET_VALIDATION (0x00000001)	Domain name validation during NTLM pass-through authentication is disabled. This flag can be set and queried on ForestTrustScannerInfo records (sections 2.2.7.22 and 2.2.7.31), but otherwise MUST be ignored.

Value

Meaning

LSA_TLN_DISABLED_NEW

0x00000001

The top-level name trust record is disabled during initial creation.

Note This flag MUST be used with forest trust records of type ForestTrustTopLevelName or ForestTrustTopLevelNameEx only (section 2.2.7.21).

LSA_TLN_DISABLED_ADMIN

0x00000002

The top-level name trust record is disabled by the Domain administrator.

Note This flag MUST be used with forest trust records of type ForestTrustTopLevelName or ForestTrustTopLevelNameEx only (section 2.2.7.21).

LSA_TLN_DISABLED_CONFLICT

0x00000004

The top-level name trust record is disabled due to a conflict.

Note This flag MUST be used with forest trust records of type ForestTrustTopLevelName or ForestTrustTopLevelNameEx only (section 2.2.7.21).

LSA_SID_DISABLED_ADMIN

0x00000001

The Domain information trust record is disabled by the domain administrator.

Note This flag MUST be used with a forest trust record of type ForestTrustDomainInfo only (section 2.2.7.24).

LSA_SID_DISABLED_CONFLICT

0x00000002

The domain information trust record is disabled due to a conflict.

Note This flag MUST be used with a forest trust record of type ForestTrustDomainInfo only (section 2.2.7.24).

LSA_NB_DISABLED_ADMIN

0x00000004

The domain information trust record is disabled by the domain administrator.

Note This flag MUST be used with a forest trust record of type ForestTrustDomainInfo only (section 2.2.7.24).

LSA_NB_DISABLED_CONFLICT

0x00000008

The domain information trust record is disabled due to a conflict.

Note This flag MUST be used with a forest trust record of type ForestTrustDomainInfo only (section 2.2.7.24).

LSA_FTRECORD_DISABLED_REASONS

0x0000FFFF

The domain information trust record is disabled.

Note This set of flags is reserved; for current and future reasons, the trust is disabled.

LSA_SCANNER_INFO_DISABLE_AUTH_TARGET_VALIDATION

(0x00000001)

Domain name validation during NTLM pass-through authentication is disabled.

This flag can be set and queried on ForestTrustScannerInfo records (sections 2.2.7.22 and 2.2.7.31), but otherwise MUST be ignored.

Share via

2.2.1.5 LSA Trust Record Flags

Additional resources