Applies ToWindows Server 2012 R2 Datacenter Windows Server 2012 R2 Standard Windows Server 2012 R2 Essentials Windows Server 2012 R2 Foundation Windows 8.1 Enterprise Windows 8.1 Pro Windows 8.1

Symptoms

A Windows Server 2012 R2 domain controller that receives an incoming Kerberos ticket-granting ticket (TGT) from across a forest trust boundary would always filter out of the PAC all group SIDs representing well-known accounts that have low-number RIDs in its domain, such as the SID of the "Domain Admins" group in its domain. This issue occurs when a domain controller is in another forest and at the Windows Server 2016 Technical Preview functional level and that forest holds a shadow principal group that has a SID representing a well-known account. 

Resolution

To fix this issue, install May 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2.Note This update adds the new trust flag TRUST_ATTRIBUTE_PIM_TRUST to Windows Server 2012 R2 domain controllers. The ticket enables those domain controllers to recognize the Kerberos tickets coming from the bastion forest. After you install this update, the domain controller will allow this flag to be set on the trustAttributes attribute of a trusted domain object in its system container, and the domain controller will interpret the groups when it performs SID filtering.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

Learn about the terminology that Microsoft uses to describe software updates.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.