Enabling SID Filtering

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2

On domain controllers that are running Windows Server 2003 or running Windows 2000 Server SP4 or later, SID filtering is applied by default to an outgoing, external trust to “quarantine” the trusted domain. This feature allows only SIDs from the trusted domain to be included in authorization data.

You might want to enable SID filtering if external trusts are in place that do not have SID filtering applied (that is, that were created on domain controllers running Windows 2000 Server SP3 or earlier).

Requirements

  • Credentials: Domain Admins for the trusting domain

  • Tools: Netdom.exe (Windows Server 2003 Support Tools)

Note

This procedure assumes that an external trust already exists between the trusting domains and the trusted domains.

To enable SID filtering for an outgoing, external trust

  1. Log on to a domain controller in the trusting domain using an account with Domain Admins credentials.

  2. At the command line, type:

    netdom trusttrusting domain name**/domain**:trusted domain name**/userO:user_name [/passwordO:*] /Quarantine:yes**

    If you do not use the character * for the password, the password appears in plaintext. If you use *, you will be prompted for a password that does not display when you type it.