SID filtering is set on all trusts to prevent malicious users who have domain or enterprise administrator level access in a trusted forest from granting (to themselves or other user accounts in their forest) elevated user rights to a trusting forest.
SID filtering should be turned off only if you want target accounts to obtain all privileges of the source accounts for the period between account migration and resource processing. Otherwise, if you do not plan to use target accounts until resource processing will be completed, turning off SID filtering is not required.
Important: Note that only domain administrators or enterprise administrators can modify SID filtering settings.
To disable SID filter quarantining for the trusting domain, type a command using the following syntax at a command-prompt:
Netdom trust TrustingDomainName /domain: TrustedDomainName /quarantine:No /usero: domainadministratorAcct /passwordo: domainadminpwd
To re-enable SID filtering, set the /quarantine: command-line option to Yes.
The default SID filtering applied to forest trusts prevents user resource access requests from traversing the trusts with the credentials of the original domain. If you want to enable users to use the credentials that were migrated from their original domain, you can allow SID history to traverse forest trusts by using the Netdom command.
To allow SID history credentials to traverse a trust relationship between two forests, type a command using the following syntax at a command-prompt:
Netdom trust TrustingDomainName /domain: TrustedDomainName /enablesidhistory:Yes /usero: domainadministratorAcct /passwordo: domainadminpwd
To re-enable the default SID filtering setting across forest trusts, set the /enablesidhistory: command-line option to No.
For more information about configuring SID filtering refer to the Microsoft article available at https://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx.Note: Quest does not support or verify the claims made by third party links or products. Please discuss with your network administrator and/or Microsoft regarding environmental configurations.