Impact of SID filtering
21 February 2007SID filtering on external trusts can affect your existing Active Directory infrastructure in the following two areas: SID history data that contains SIDs from any domain other than the trusted domain will be removed from authentication requests made from the trusted domain. This will result in access being denied to resources that have the user’s old SID. Universal group access control strategy between forests will require changes. When SID filtering is enabled, users who use SID history data for authorization to resources in the trusting domain no longer have access to those resources.
If you typically assign universal groups from a trusted forest to access control lists (ACLs) on shared resources in the trusting domain, SID filtering will have a major impact on your access control strategy. Because universal groups must adhere to the same SID filtering guidelines as other security principal objects (that is, the universal group object SID must also contain the domain SID), you should verify that any universal groups that are assigned to shared resources in the trusting domain were created in the trusted domain.
If the universal group in the trusted forest was not created in the trusted domain, even though it may contain users from the trusted domain as members, authentication requests made from members of that universal group will be filtered and discarded. Therefore, before assigning access to resources in the trusting domain for users in the trusted domain, you should confirm that the universal group containing the trusted domain users was created in the trusted domain.
Comments are closed.