Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

Enabling SID Filtering

Updated: January 23, 2009

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2

On domain controllers that are running Windows Server 2003 or running Windows 2000 Server SP4 or later, SID filtering is applied by default to an outgoing, external trust to “quarantine” the trusted domain. This feature allows only SIDs from the trusted domain to be included in authorization data.

You might want to enable SID filtering if external trusts are in place that do not have SID filtering applied (that is, that were created on domain controllers running Windows 2000 Server SP3 or earlier).


  • Credentials: Domain Admins for the trusting domain

  • Tools: Netdom.exe (Windows Server 2003 Support Tools)

This procedure assumes that an external trust already exists between the trusting domains and the trusted domains.

To enable SID filtering for an outgoing, external trust

  1. Log on to a domain controller in the trusting domain using an account with Domain Admins credentials.

  2. At the command line, type:

    netdom trust trusting domain name /domain:trusted domain name/userO:user_name [/passwordO:*] /Quarantine:yes

    If you do not use the character * for the password, the password appears in plaintext. If you use *, you will be prompted for a password that does not display when you type it.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2015 Microsoft