SID filtering confusion??

[shawn]

I have an external two way trust between my NT 4.0 SP6a domain and my new
W2K3 AD domain.

I have migrated several users over from NT domain to W2K3 AD domain with SID
history.

NT domain still has resources (files shares, printers, Exchange mailboxes,
etc).

SID filtering is enabled on this two way trust.

How come users in AD can still get to NT resources? Shouldn't enabling SID
filtering keep users from using these resources? (i.e. Not passing SID
history binary info in data packet to NT domain for authentication)


Thanks in advance.

 

[Tim Springston [MS]]

Hi Shawn-

If I understand your scenario correctly, you have enabled SID filtering and
are still seeing users from your W2K domain able to access resources
succesfully in your NT4 domain using the SIDHistory on their tokens.

My first thought is to make sure that the registry key below is set on all
of your NT4 BDCs and the PDC.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\
with the following attributes:

Name: QuarantinedDomains

Type: REG_MULTI_SZ

Value: Sequence of zero, or more, Netbios domain names



After placing the value (if it is not already present) restart the NETLOGON
service.

This registry key, rather than the value on on the TDO like in Windows 2000
and Server 2003 Active Directory, tells the NT4 domain to not allow the use
of SIDHistory.


Please repost if this does not help.