Enabling SID Filtering
Updated: January 23, 2009
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2
On domain controllers that are running Windows Server 2003 or running Windows 2000 Server SP4 or later, SID filtering is applied by default to an outgoing, external trust to “quarantine” the trusted domain. This feature allows only SIDs from the trusted domain to be included in authorization data.
You might want to enable SID filtering if external trusts are in place that do not have SID filtering applied (that is, that were created on domain controllers running Windows 2000 Server SP3 or earlier).
Credentials: Domain Admins for the trusting domain
Tools: Netdom.exe (Windows Server 2003 Support Tools)
|This procedure assumes that an external trust already exists between the trusting domains and the trusted domains.|
To enable SID filtering for an outgoing, external trust
Log on to a domain controller in the trusting domain using an account with Domain Admins credentials.
At the command line, type:
netdom trust trusting domain name /domain:trusted domain name/userO:user_name [/passwordO:*] /Quarantine:yes
If you do not use the character * for the password, the password appears in plaintext. If you use *, you will be prompted for a password that does not display when you type it.