-
Title
Migrated Users Cannot Access Resources Even Though the SIDHistory Attribute is Populated. -
Description
Users, with SIDHistory enabled, were migrated to the target domain and SIDHistory was successfully added to the target user accounts; however, the target users are unable to access resources. -
Cause
This problem can occur if SID Filtering is enabled between the source and target domains.
When troubleshooting, it is a good idea to use Whoami.exe Microsoft command line utility (part of Windows 2000 Resource Kit). If executed with /all switch, it will list all the SID values contained in the security token of currently logged in user. Running it under the context of source and target environments would show if particular domains SIDs are filtered.
-
Resolution
To resolve this issue, ensure that SID Filter quarantining is disabled between the source and target domains by running the NETDOM utility using the below commands. The NETDOM utility can be installed on the Operating System from the Windows Resource Kit or Support Tools.
For Windows 2003 and above use the following command:
NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /Quarantine:no /EnableSIDHistory:yes /UserD:user /PasswordD:password /UserO:user /PasswordO:password
where:
trusting_domain_name: is the name of the trusting domain.
/Domain: Specifies the name of the trusted domain or Non-Windows Realm.
/UserD: User account used to make the connection with the domain specified by the /Domain argument
/PasswordD: Password of the user account specified by /UserD.
/UserO: User account for making the connection with the trusting domain
/PasswordO: Password of the user account specified By /UserO.
For Windows 2000 use the following command:
NETDOM TRUST trusting_domain_name /Domain:trusted_domain_name /FilterSIDs:no /UserD:user /PasswordD:password /UserO:user /PasswordO:password