Using SID Filtering When Migrating User Accounts

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

SID filtering does not allow for the use of SIDs from outside the forest to enable access to any resource within the forest. You can enable the SID of a user in a different forest to access a resource within a forest that has SID filtering enabled by translating security on the resource to include the user SID in the permission list. Because SID filtering does not apply to authentication within a domain, it is also possible to allow access to resources by means of SID history if the resource and the account are in the same domain.

To allow users or groups to access a resource by using SID history, the forest in which the resource is located must trust the forest in which the account is located. SID filtering is applied by default when a forest trust is established between two forest root domains. Also, SID filtering is enabled by default when external trusts are established between domain controllers running Windows Server 2003 or Windows 2000 SP4 or later. This prevents potential security attacks by an administrator in a different forest.

For more information about SID history–based attacks and SID filtering, see Configuring SID Filtering Settings at https://go.microsoft.com/fwlink/?LinkId=73446.