Q: What is SID History Filtering?
A: SID History Filtering is a feature which makes it possible to filter out the SID History attribute for users autheticating over an interforest trust.
Q: Which OSes has this feature?
A: Windows Server 2003 and Windows 2000 Server post SP2 (I thought it was only in 2003 and I fount out the hard way)
Q: Why do I need this?
A: Because SID History is a potential security risk since it can be altered to gain access to resources which a person does not have access to.
Q: Could SID History filtering be a problem?
A: I you setup a trust between two domains for migration purposes you will not bet able to access resources in the old domain (I am talking from personal experience) with a migrated user.
Q: Is it turned on by default?
A: Yes
How do I turn off SID Filtering?
In Windows Server 2003:
Netdom trustTrustingDomainName /domain:TrustedDomainName /quarantine:No /usero:domainadministratorAcct /passwordo:domainadminpwd
TrustingDomainName | The Domain Name System (DNS) name (or network basic input/output system (NetBIOS) name) of the trusting domain in the trust that is being created. |
TrustedDomainName | The DNS name (or NetBIOS name) of the domain that will be trusted in the trust that is being created. |
domainadministratorAcct | The user account name with the appropriate administrator credentials to modify the trust. |
domainadminpwd | The password of the user account in domainadministratorAcct. |
In Windows 2000:
netdom trust RESDOM /D:ACCDOM /UD:ACCDOMAdministrator /PD:adminpwd /UO:RESDOMAdministrator /PO:adminpwd /filtersids:no
Links
KB for Winfows 2000 (289243)
Techent Article for 2003
Good Article on SID Filtering and SIDHistory