Windows Security Log Event ID 611

611: Removing Trusted Domain

On this page

• Description of this event
• Field level details
• Examples

This event varies depending on the OS.

Win2000

This event gets logged twice (duplicate) by the domain controller. Unlike event 610, an event 620 does not accompany this event.

The DC logs this event for both trusted and trusting domains. There is no way to make a distinction.

If directory service access auditing is turned on, the DC also logs an event 565 (object opened) and 564 (object deleted) where the object service is LSA and the object type is TrustedDomainObject. Object name identifies the 610, 611 and 620

Win2003

Unlike Windows 2000, Windows Server 2003 only logs this event once for each new domain. Although the description says "new *trusted* domain" this event gets logged for both trusted and trusting relationships.

If directory service access auditing is turned on, the DC also logs an event 565 (object opened) and 564 (object deleted) where the object service is LSA and the object type is TrustedDomainObject. Object name identifies the domain.
See also event IDs 610 and 620.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 611

• Trusted Domain Removed: (Windows 2000 says "Removing Trusted Domain")
• Domain Name:
• Domain ID:
• Removed By:
• User Name:
• Domain: (domain of the user that removed the trust)
• Logon ID:

Supercharger Free Edition

Centrally manage WEC subscriptions.

Free.

 

Mini-Seminars Covering Event ID 611 Building a Security Dashboard for Your Senior Executives

 

Upcoming Webinars

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy