Why would an interdomain trust account not require a password?

Solution 1:

Trust secrets are represented by special attributes on interdomain trust accounts, indicating the direction of the trust it's securing

Inbound trust secrets are stored in trustAuthIncoming, on the "trusted" side of a trust

Outbound trust secrets are stored in trustAuthOutgoing, on the "trusting" end of a trust

In the special case of two-way trusts (like Parent-Child trusts or transitive forest trusts between internal forests) the INTERDOMAIN_TRUST_ACCOUNT object on each side of the trust will have both set.

Unlike regular computer accounts, on which the client computer is responsible for initiating password changes, trust secrets are maintained by the Domain Controller possessing the PDC Emulator FSMO role in the trusting domain.

Every 7 days, the PDCe will generate and set a new trust secret, contact the PDCe in the trusted domain, and update the Incoming trust secret. All other domain controllers in the trusted domain will replicate the new secret, but to ensure that the trust is not immediately broken until replication occurs, the last secret used will be retained in the SAM database until the next change.

Since this specification does not fit well with most password policies, and because of the fact that a unique password/secrect is maintained per direction not per TDO, the INTERDOMAIN_TRUST_ACCOUNT is exempt from having a password