Using SID Filtering When Migrating User Accounts
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Applies to: Active Directory Migration Tool 3.2 (ADMT 3.2)
For a domain-to-domain trust, security identifier (SID) filtering does not allow for the use of SIDs from outside the trusted domain to enable access to any resource within the trusting domain. For a forest-to-forest trust, SID filtering does not allow for the use of SIDs from any domain outside the trusted forest to enable access to any resource within any domain in the trusting forest.
You can enable the SID of a user in a different forest to access a resource within a forest that has SID filtering enabled by translating security on the resource to include the user SID in the permission list.
SID filtering is applied by default when a forest trust is established between two forest root domains. Also, SID filtering is enabled by default when external trusts are established between domain controllers that are running Windows 2000 Service Pack 4 (SP4) or later. This prevents potential security attacks by an administrator in a different forest.
Because SID filtering does not apply to authentication within a domain, it is also possible to allow access to resources by means of SID history, if the resource and the account are in the same domain. To allow users or groups to access a resource by using SID history, the forest in which the resource is located must trust the forest in which the account is located.
For more information about SID-history-based attacks and SID filtering, see Configuring SID Filtering Settings (https://go.microsoft.com/fwlink/?LinkId=73446).