Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


A Windows Server 2012 R2 domain controller that receives an incoming Kerberos ticket-granting ticket (TGT) from across a forest trust boundary would always filter out of the PAC all group SIDs representing well-known accounts that have low-number RIDs in its domain, such as the SID of the "Domain Admins" group in its domain. This issue occurs when a domain controller is in another forest and at the Windows Server 2016 Technical Preview functional level and that forest holds a shadow principal group that has a SID representing a well-known account. 


To fix this issue, install May 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2.

Note This update adds the new trust flag TRUST_ATTRIBUTE_PIM_TRUST to Windows Server 2012 R2 domain controllers. The ticket enables those domain controllers to recognize the Kerberos tickets coming from the bastion forest. After you install this update, the domain controller will allow this flag to be set on the trustAttributes attribute of a trusted domain object in its system container, and the domain controller will interpret the groups when it performs SID filtering.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


Learn about the terminology that Microsoft uses to describe software updates.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!