Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Enabling SID Filtering

Updated: January 23, 2009

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2

On domain controllers that are running Windows Server 2003 or running Windows 2000 Server SP4 or later, SID filtering is applied by default to an outgoing, external trust to “quarantine” the trusted domain. This feature allows only SIDs from the trusted domain to be included in authorization data.

You might want to enable SID filtering if external trusts are in place that do not have SID filtering applied (that is, that were created on domain controllers running Windows 2000 Server SP3 or earlier).


  • Credentials: Domain Admins for the trusting domain

  • Tools: Netdom.exe (Windows Server 2003 Support Tools)

This procedure assumes that an external trust already exists between the trusting domains and the trusted domains.

To enable SID filtering for an outgoing, external trust

  1. Log on to a domain controller in the trusting domain using an account with Domain Admins credentials.

  2. At the command line, type:

    netdom trust trusting domain name /domain:trusted domain name/userO:user_name [/passwordO:*] /Quarantine:yes

    If you do not use the character * for the password, the password appears in plaintext. If you use *, you will be prompted for a password that does not display when you type it.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2014 Microsoft. All rights reserved.