Filtered Sid

Tutorials Win: Microsoft Windows Forum

Hi there,

We just created a forest trust relationship between an AD2003 domain and an
AD2008 domain. We are experiencing a really wierd issue. Here it is:

A user from the 2003 domain needs to have a permission to access a shared
folder on a member server of the 2008 domain. If we put the 2003 domain user
in a 2008 local domain group and then give the permission to this group to
access the folder on the 2008 member server, it fails. The security log says
that a SID has been filtered.

If we explicitly give the permission to the same user on the same folder, it
is successful.

If we put the 2003 user in a 2003 domain universal group, then put that
universal group in the 2008 local domain group then give permission to the
local domain group on the 2008 file server, it still fails, and gives the
same security event.

If we promote our 2008 file server as a DC, it starts to work. If we demote
it back as a file server, it continues to work.

- I compared ALL the local and domain policies, and everything seems fine.
- I made sure that SID filtering is disabled on the trust relationship
(anyway, it shouldn't be a concern, since it is a forest trust)
- I made sure SID History is enabled on the trust relationship (but this too
shouldn't be a concern since the user has not been migrated)

What could I do next to troubleshoot this issue?
Top

Re: Filtered Sid by Jorge

Jorge
Wed Jun 18 13:25:11 PDT 2008

>>>The security log says that a SID has been filtered.

which security log? (which DC?, 2003 or 2008?)
--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jeff Courteau" <Jeff Courteau@discussions.microsoft.com> wrote in message
news:25DF7EB9-9C81-4913-8A2B-404BD5032562@microsoft.com...
> Hi there,
>
> We just created a forest trust relationship between an AD2003 domain and
> an
> AD2008 domain. We are experiencing a really wierd issue. Here it is:
>
> A user from the 2003 domain needs to have a permission to access a shared
> folder on a member server of the 2008 domain. If we put the 2003 domain
> user
> in a 2008 local domain group and then give the permission to this group to
> access the folder on the 2008 member server, it fails. The security log
> says
> that a SID has been filtered.
>
> If we explicitly give the permission to the same user on the same folder,
> it
> is successful.
>
> If we put the 2003 user in a 2003 domain universal group, then put that
> universal group in the 2008 local domain group then give permission to the
> local domain group on the 2008 file server, it still fails, and gives the
> same security event.
>
> If we promote our 2008 file server as a DC, it starts to work. If we
> demote
> it back as a file server, it continues to work.
>
> - I compared ALL the local and domain policies, and everything seems fine.
> - I made sure that SID filtering is disabled on the trust relationship
> (anyway, it shouldn't be a concern, since it is a forest trust)
> - I made sure SID History is enabled on the trust relationship (but this
> too
> shouldn't be a concern since the user has not been migrated)
>
> What could I do next to troubleshoot this issue?

Top

Re: Filtered Sid by JeffCourteau

JeffCourteau
Thu Jun 19 05:20:02 PDT 2008

The security log on the 2008 file server. However, if the file server is a
Windows server 2003 member of my 2008 domain, there is no problem at all...

Thanks!

Jeff Courteau



"Jorge de Almeida Pinto [MVP - DS]" wrote:

> >>>The security log says that a SID has been filtered.
>
> which security log? (which DC?, 2003 or 2008?)
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------------------------------------
> * How to ask a question --> http://support.microsoft.com/?id=555375
> ------------------------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no rights!
> * Always test ANY suggestion in a test environment before implementing!
> ------------------------------------------------------------------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------------------------------------
> "Jeff Courteau" <Jeff Courteau@discussions.microsoft.com> wrote in message
> news:25DF7EB9-9C81-4913-8A2B-404BD5032562@microsoft.com...
> > Hi there,
> >
> > We just created a forest trust relationship between an AD2003 domain and
> > an
> > AD2008 domain. We are experiencing a really wierd issue. Here it is:
> >
> > A user from the 2003 domain needs to have a permission to access a shared
> > folder on a member server of the 2008 domain. If we put the 2003 domain
> > user
> > in a 2008 local domain group and then give the permission to this group to
> > access the folder on the 2008 member server, it fails. The security log
> > says
> > that a SID has been filtered.
> >
> > If we explicitly give the permission to the same user on the same folder,
> > it
> > is successful.
> >
> > If we put the 2003 user in a 2003 domain universal group, then put that
> > universal group in the 2008 local domain group then give permission to the
> > local domain group on the 2008 file server, it still fails, and gives the
> > same security event.
> >
> > If we promote our 2008 file server as a DC, it starts to work. If we
> > demote
> > it back as a file server, it continues to work.
> >
> > - I compared ALL the local and domain policies, and everything seems fine.
> > - I made sure that SID filtering is disabled on the trust relationship
> > (anyway, it shouldn't be a concern, since it is a forest trust)
> > - I made sure SID History is enabled on the trust relationship (but this
> > too
> > shouldn't be a concern since the user has not been migrated)
> >
> > What could I do next to troubleshoot this issue?
>
>
Top

Re: Filtered Sid by Jorge

Jorge
Thu Jun 19 12:53:18 PDT 2008

to do you have the event in question? every info from it (ID, source,
description, etc)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jeff Courteau" <JeffCourteau@discussions.microsoft.com> wrote in message
news:7A5AC91F-B779-464F-8F35-A4AE0D0D0986@microsoft.com...
> The security log on the 2008 file server. However, if the file server is a
> Windows server 2003 member of my 2008 domain, there is no problem at
> all...
>
> Thanks!
>
> Jeff Courteau
>
>
>
> "Jorge de Almeida Pinto [MVP - DS]" wrote:
>
>> >>>The security log says that a SID has been filtered.
>>
>> which security log? (which DC?, 2003 or 2008?)
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>
>> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>>
>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>> ------------------------------------------------------------------------------------------
>> * How to ask a question --> http://support.microsoft.com/?id=555375
>> ------------------------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test ANY suggestion in a test environment before implementing!
>> ------------------------------------------------------------------------------------------
>> #################################################
>> #################################################
>> ------------------------------------------------------------------------------------------
>> "Jeff Courteau" <Jeff Courteau@discussions.microsoft.com> wrote in
>> message
>> news:25DF7EB9-9C81-4913-8A2B-404BD5032562@microsoft.com...
>> > Hi there,
>> >
>> > We just created a forest trust relationship between an AD2003 domain
>> > and
>> > an
>> > AD2008 domain. We are experiencing a really wierd issue. Here it is:
>> >
>> > A user from the 2003 domain needs to have a permission to access a
>> > shared
>> > folder on a member server of the 2008 domain. If we put the 2003 domain
>> > user
>> > in a 2008 local domain group and then give the permission to this group
>> > to
>> > access the folder on the 2008 member server, it fails. The security log
>> > says
>> > that a SID has been filtered.
>> >
>> > If we explicitly give the permission to the same user on the same
>> > folder,
>> > it
>> > is successful.
>> >
>> > If we put the 2003 user in a 2003 domain universal group, then put that
>> > universal group in the 2008 local domain group then give permission to
>> > the
>> > local domain group on the 2008 file server, it still fails, and gives
>> > the
>> > same security event.
>> >
>> > If we promote our 2008 file server as a DC, it starts to work. If we
>> > demote
>> > it back as a file server, it continues to work.
>> >
>> > - I compared ALL the local and domain policies, and everything seems
>> > fine.
>> > - I made sure that SID filtering is disabled on the trust relationship
>> > (anyway, it shouldn't be a concern, since it is a forest trust)
>> > - I made sure SID History is enabled on the trust relationship (but
>> > this
>> > too
>> > shouldn't be a concern since the user has not been migrated)
>> >
>> > What could I do next to troubleshoot this issue?
>>
>>

Top

Re: Filtered Sid by JeffCourteau

JeffCourteau
Fri Jun 20 06:14:01 PDT 2008

Log: Security
Source: Microsoft Windows security auditing.
ID: 4675

The description says that a SID has been filtered, even though SID filtering
is deactivated on the trust relationship.

Thanks!

Jeff Courteau





"Jorge de Almeida Pinto [MVP - DS]" wrote:

> to do you have the event in question? every info from it (ID, source,
> description, etc)
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------------------------------------
> * How to ask a question --> http://support.microsoft.com/?id=555375
> ------------------------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no rights!
> * Always test ANY suggestion in a test environment before implementing!
> ------------------------------------------------------------------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------------------------------------
> "Jeff Courteau" <JeffCourteau@discussions.microsoft.com> wrote in message
> news:7A5AC91F-B779-464F-8F35-A4AE0D0D0986@microsoft.com...
> > The security log on the 2008 file server. However, if the file server is a
> > Windows server 2003 member of my 2008 domain, there is no problem at
> > all...
> >
> > Thanks!
> >
> > Jeff Courteau
> >
> >
> >
> > "Jorge de Almeida Pinto [MVP - DS]" wrote:
> >
> >> >>>The security log says that a SID has been filtered.
> >>
> >> which security log? (which DC?, 2003 or 2008?)
> >> --
> >>
> >> Cheers,
> >> (HOPEFULLY THIS INFORMATION HELPS YOU!)
> >>
> >> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
> >>
> >> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> >> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> >> ------------------------------------------------------------------------------------------
> >> * How to ask a question --> http://support.microsoft.com/?id=555375
> >> ------------------------------------------------------------------------------------------
> >> * This posting is provided "AS IS" with no warranties and confers no
> >> rights!
> >> * Always test ANY suggestion in a test environment before implementing!
> >> ------------------------------------------------------------------------------------------
> >> #################################################
> >> #################################################
> >> ------------------------------------------------------------------------------------------
> >> "Jeff Courteau" <Jeff Courteau@discussions.microsoft.com> wrote in
> >> message
> >> news:25DF7EB9-9C81-4913-8A2B-404BD5032562@microsoft.com...
> >> > Hi there,
> >> >
> >> > We just created a forest trust relationship between an AD2003 domain
> >> > and
> >> > an
> >> > AD2008 domain. We are experiencing a really wierd issue. Here it is:
> >> >
> >> > A user from the 2003 domain needs to have a permission to access a
> >> > shared
> >> > folder on a member server of the 2008 domain. If we put the 2003 domain
> >> > user
> >> > in a 2008 local domain group and then give the permission to this group
> >> > to
> >> > access the folder on the 2008 member server, it fails. The security log
> >> > says
> >> > that a SID has been filtered.
> >> >
> >> > If we explicitly give the permission to the same user on the same
> >> > folder,
> >> > it
> >> > is successful.
> >> >
> >> > If we put the 2003 user in a 2003 domain universal group, then put that
> >> > universal group in the 2008 local domain group then give permission to
> >> > the
> >> > local domain group on the 2008 file server, it still fails, and gives
> >> > the
> >> > same security event.
> >> >
> >> > If we promote our 2008 file server as a DC, it starts to work. If we
> >> > demote
> >> > it back as a file server, it continues to work.
> >> >
> >> > - I compared ALL the local and domain policies, and everything seems
> >> > fine.
> >> > - I made sure that SID filtering is disabled on the trust relationship
> >> > (anyway, it shouldn't be a concern, since it is a forest trust)
> >> > - I made sure SID History is enabled on the trust relationship (but
> >> > this
> >> > too
> >> > shouldn't be a concern since the user has not been migrated)
> >> >
> >> > What could I do next to troubleshoot this issue?
> >>
> >>
>
>
Top