ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows domain controller security monitoring dashboard showing Active Directory trust relationships and event logs
Event ID 4908InformationSecurityWindows

Windows Event ID 4908 – Security: Trusted Domain Information Changed

Event ID 4908 indicates that trusted domain information has been modified on a domain controller, typically during domain trust establishment, modification, or removal operations.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4908Security 5 methods 9 min
Event Reference

What This Event Means

Windows Event ID 4908 represents a security audit event that documents changes to trusted domain information within Active Directory environments. When domain administrators modify trust relationships between domains or forests, the domain controller's Local Security Authority subsystem logs this event to maintain an audit trail of trust configuration changes.

The event contains structured data including the trusted domain name, trust type (external, forest, shortcut, or realm), trust direction (inbound, outbound, or bidirectional), and the security identifier of the account that initiated the change. This information proves essential for security teams monitoring unauthorized trust modifications that could compromise domain security.

Trust relationships enable users in one domain to access resources in another domain without requiring separate credentials. However, these relationships also create potential attack vectors if misconfigured or compromised. Event ID 4908 helps administrators track when these critical security boundaries are modified, supporting both operational transparency and incident response activities.

The event fires during various trust-related operations including trust creation through the New-ADTrust PowerShell cmdlet, trust removal via Remove-ADTrust, trust validation operations, and trust property modifications. Understanding this event helps administrators maintain secure cross-domain authentication while ensuring proper audit trails for compliance requirements.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025
Analysis

Possible Causes

  • Administrator creating new domain trusts using Active Directory Domains and Trusts console
  • PowerShell cmdlets like New-ADTrust, Set-ADTrust, or Remove-ADTrust modifying trust relationships
  • Netdom trust command-line operations establishing or removing trusts
  • Automated trust validation processes updating trust properties
  • Forest migration tools modifying trust configurations during domain restructuring
  • Group Policy changes affecting trust authentication settings
  • Trust relationship repairs following domain controller recovery operations
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4908 to understand what trust change occurred.

  1. Open Event Viewer on the domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4908 using the filter option
  4. Double-click the event to view detailed information
  5. Review the event data including:
    • Trusted Domain Name
    • Trust Type and Direction
    • Subject (who made the change)
    • Process Information

Use PowerShell to query recent 4908 events:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4908} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

For detailed event parsing:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4908} -MaxEvents 5 | ForEach-Object { [xml]$xml = $_.ToXml(); $xml.Event.EventData.Data }
02

Verify Current Trust Relationships

Confirm the current state of domain trusts to validate the changes recorded in Event ID 4908.

  1. Open Active Directory Domains and Trusts console
  2. Right-click your domain and select Properties
  3. Click the Trusts tab to view current trust relationships
  4. Verify trust direction, type, and status

Use PowerShell to enumerate all domain trusts:

Get-ADTrust -Filter * | Select-Object Name, Direction, TrustType, Created, Modified | Format-Table -AutoSize

For detailed trust information:

Get-ADTrust -Filter * | ForEach-Object { Get-ADTrust -Identity $_.Name | Select-Object Name, Direction, TrustType, TrustAttributes, Created, Modified }

Test trust connectivity:

Test-ComputerSecureChannel -Verbose
Pro tip: Use nltest /trusted_domains to quickly list all trusted domains from the command line.
03

Analyze Trust Authentication Logs

Examine related authentication events to understand the impact of trust changes on user authentication.

  1. In Event Viewer, navigate to Windows LogsSecurity
  2. Filter for authentication-related events:
    • Event ID 4624 (successful logon)
    • Event ID 4625 (failed logon)
    • Event ID 4768 (Kerberos TGT requested)
    • Event ID 4769 (Kerberos service ticket requested)
  3. Look for events involving the trusted domain users

Query cross-domain authentication events:

$StartTime = (Get-Date).AddHours(-24)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625,4768,4769; StartTime=$StartTime}
$Events | Where-Object {$_.Message -like '*trusted*domain*'} | Format-Table TimeCreated, Id, Message -Wrap

Check for trust-related failures:

Get-WinEvent -FilterHashtable @{LogName='System'; Id=5805,5723} -MaxEvents 10 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
Warning: Trust authentication failures can indicate trust relationship problems that may require immediate attention.
04

Validate Trust Security Settings

Examine trust security configurations to ensure proper authentication and authorization settings.

  1. Open Active Directory Domains and Trusts
  2. Right-click the domain and select Properties
  3. Go to the Trusts tab
  4. Select a trust and click Properties
  5. Review authentication settings and SID filtering options

Check trust authentication policies using PowerShell:

Get-ADTrust -Filter * | ForEach-Object {
    $Trust = $_
    Write-Host "Trust: $($Trust.Name)" -ForegroundColor Green
    Write-Host "Direction: $($Trust.Direction)"
    Write-Host "Type: $($Trust.TrustType)"
    Write-Host "SID Filtering: $($Trust.SIDFilteringEnabled)"
    Write-Host "Selective Auth: $($Trust.SelectiveAuthentication)"
    Write-Host "---"
}

Verify trust validation status:

Get-ADTrust -Filter * | ForEach-Object {
    $TrustName = $_.Name
    try {
        Test-ADTrust -Identity $TrustName -Verbose
        Write-Host "Trust $TrustName validation: SUCCESS" -ForegroundColor Green
    } catch {
        Write-Host "Trust $TrustName validation: FAILED - $($_.Exception.Message)" -ForegroundColor Red
    }
}
05

Monitor Trust Changes with Advanced Auditing

Implement comprehensive monitoring for future trust modifications to maintain security oversight.

  1. Open Group Policy Management Console
  2. Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  3. Expand Account Management
  4. Configure Audit User Account Management for Success and Failure
  5. Apply the policy to domain controllers

Enable detailed trust auditing via registry:

$RegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
Set-ItemProperty -Path $RegPath -Name "AuditBaseObjects" -Value 1 -Type DWord
Restart-Service -Name "NTDS" -Force

Create a PowerShell monitoring script:

$ScriptBlock = {
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4908} -MaxEvents 1
    if ($Events) {
        $Event = $Events[0]
        $Message = "Trust change detected at $($Event.TimeCreated): $($Event.Message)"
        Write-EventLog -LogName Application -Source "TrustMonitor" -EventId 1001 -Message $Message
        # Add email notification or SIEM integration here
    }
}
Register-ScheduledTask -TaskName "MonitorTrustChanges" -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 5)) -Action (New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-Command & {$ScriptBlock}")
Pro tip: Consider integrating trust change monitoring with your SIEM solution for centralized security event correlation.

Overview

Event ID 4908 fires when trusted domain information is modified on a Windows domain controller. This event appears in the Security log whenever administrators establish, modify, or remove domain trusts between Active Directory forests or domains. The event captures critical security-related changes to trust relationships that affect authentication and authorization across domain boundaries.

This event typically occurs during planned domain trust operations, forest migrations, or security hardening activities. Domain controllers generate this event when the Local Security Authority (LSA) processes trust policy changes through tools like Active Directory Domains and Trusts, PowerShell cmdlets, or netdom commands.

The event provides detailed information about which trusted domain was affected, what type of change occurred, and which security principal initiated the modification. This makes it valuable for security auditing, compliance reporting, and troubleshooting cross-domain authentication issues in enterprise environments.

Frequently Asked Questions

What does Event ID 4908 mean and when does it occur?+
Event ID 4908 indicates that trusted domain information has been changed on a domain controller. This event occurs whenever administrators create, modify, or remove trust relationships between Active Directory domains or forests. The event is logged in the Security log and provides details about what trust was affected, the type of change made, and which account initiated the modification. It's a normal informational event during planned trust operations but should be monitored for unauthorized changes.
How can I determine who made the trust changes recorded in Event ID 4908?+
The Event ID 4908 details include subject information that identifies the security principal who initiated the trust change. In Event Viewer, expand the event details to see the Subject section containing the Security ID, Account Name, Account Domain, and Logon ID. You can also use PowerShell to parse this information: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4908} | ForEach-Object { [xml]$xml = $_.ToXml(); $xml.Event.EventData.Data | Where-Object {$_.Name -like '*Subject*'} }. This helps identify whether the change was made by an authorized administrator or potentially indicates unauthorized access.
Should I be concerned if I see multiple Event ID 4908 entries in my Security log?+
Multiple Event ID 4908 entries are not necessarily concerning if they correspond to legitimate trust management activities. However, you should investigate if these events occur outside of planned maintenance windows or if they involve unexpected trusted domains. Review the timing, frequency, and the accounts making the changes. Legitimate scenarios include trust validation processes, forest migrations, or routine trust maintenance. Suspicious patterns might indicate unauthorized trust modifications that could compromise domain security. Always correlate these events with your change management processes.
Can Event ID 4908 help me troubleshoot cross-domain authentication issues?+
Yes, Event ID 4908 can be valuable for troubleshooting authentication problems between trusted domains. If users report authentication failures across domain boundaries, check recent 4908 events to see if trust configurations were recently modified. Look for changes in trust direction, type, or authentication settings that might affect user access. Combine this with authentication failure events (4625, 5805) and Kerberos events (4768, 4769) to build a complete picture. Trust changes recorded in 4908 events often correlate with subsequent authentication behavior changes.
How do I prevent unauthorized trust modifications that would generate Event ID 4908?+
Implement several security measures to prevent unauthorized trust changes: First, restrict membership in Domain Admins and Enterprise Admins groups to only necessary personnel. Second, enable advanced auditing for account management to capture all trust-related activities. Third, implement privileged access management (PAM) solutions that require approval for sensitive operations. Fourth, monitor Event ID 4908 in real-time using SIEM tools or PowerShell scripts to detect unexpected trust changes. Finally, establish change management processes that require documentation and approval before trust modifications. Consider using Just-In-Time (JIT) access for trust management operations.
Documentation

References (2)

1
Microsoft Learn - Advanced Security Audit PoliciesOfficial documentation covering advanced audit policy configuration including trust-related security eventshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policies
2
Microsoft Docs - Active Directory Trust RelationshipsComprehensive guide to understanding and managing Active Directory trust relationships and security implicationshttps://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/understanding-active-directory-trust-relationships
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4908#active-directory#domain-trusts

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...