Share via

Disable SID filter quarantining

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Although it is not recommended, you can disable security identifier (SID) filter quarantining for an external trust by using the Netdom.exe tool. You should consider disabling SID filter quarantining only in the following situations:

  • You have an equally high level of confidence in the administrators who have physical access to domain controllers in the trusted domain and the administrators with such access in the trusting domain.

  • You have a strict requirement to assign universal groups to resources in the trusting domain, even when those groups were not created in the trusted domain.

  • Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant those users access to resources in the trusting domain based on the SIDHistory attribute.

For more information about how SID filtering works, see "Security Considerations for Trusts" in the Windows Server 2003 Technical Reference on the Microsoft Web site (

You can disable SID filter quarantining by using the Netdom command-line tool. For more information about the Netdom command-line tool, see "Netdom.exe: Windows Domain Manager" in the Windows Server 2003 Technical Reference on the Microsoft Web site (

Administrative credentials

To complete this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory.

To disable SID filter quarantining

  1. To disable SID filter quarantining for the trusting domain, open a Command Prompt.

  2. Type the following command, and then press ENTER:

    Netdom trust TrustingDomainName **/domain:**TrustedDomainName **/quarantine:No /userD:**domainadministratorAcct **/passwordD:**domainadminpwd

    Value Description


    The Domain Name System (DNS) name (or network basic input/output system (NetBIOS) name) of the trusting domain in the trust that is being created.


    The DNS name (or NetBIOS name) of the domain that will be trusted in the trust that is being created.


    The user account name with the appropriate administrator credentials to modify the trust.


    The password of the user account in domainadministratorAcct.


    You can enable or disable SID filter quarantining only from the trusting side of the trust. If the trust is a two-way trust, you can also disable SID filter quarantining in the trusted domain by using the domain administrator’s credentials for the trusted domain and reversing the TrustingDomainName and TrustedDomainName values in the command-line syntax.