- You try to access a resource in a Microsoft Windows Server 2003 trusting domain.
- The resource that you try to access has permissions that are defined by using the built-in group that you migrated.
- Use a third-party tool such as NetIQ.
- Use the Sidhist.vbs Visual Basic script that is included with the ClonePrincipal Windows Server 2003 Support Tool.
This issue occurs if the following conditions are true:
- The access token of a security principal from a trusted domain passes a SID that matches a SID in the local domain.
- That SID is the SID of a built-in group.
To reduce the security implications caused by disabling the SID filtering, the behavior of the SID filtering has changed between Windows 2000 Server and Windows Server 2003.
In Windows 2000 Server, the SID filtering functionality is either enabled or disabled for all SIDs on a particular trust. Additionally, the built-in group SIDs are not filtered when the SID filtering is disabled. In Windows Server 2003, the SID filtering can be enabled or disabled on specified trusts. However, the built-in SIDs from outside the domain are always filtered out.
For more information about migrating accounts while you are using SID history, visit the following Microsoft Web site:
Article ID: 893191 - Last Review: 29 Mar 2017 - Revision: 3