Microsoft KB Archive/893191

= The security IDs for built-in domain groups are filtered in Windows Server 2003 =

Article ID: 893191

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-





SYMPTOMS
After you migrate a built-in domain group, such as the Domain Users group or the Domain Admins group, while you are using security ID (SID) history, you receive the following error message:

Access is denied.

This symptom occurs if the following conditions are true:
 * You try to access a resource in a Microsoft Windows Server 2003 trusting domain.
 * The resource that you try to access has permissions that are defined by using the built-in group that you migrated.

Note You cannot use the Active Directory Migration Tool (ADMT) version 2.0 to migrate SID history for built-in LOCAL groups or built-in domain global groups. Built-in LOCAL groups include the Administrators group, the Users group and the Power Users group. Built-in domain global groups include Domain Admins or Domain Users. The behavior with built-in domain local groups occurs because the built-in account SIDs are the same in every domain. Therefore, if you migrate these accounts to a destination domain, duplicate SIDs exist in the destination domain. However, while you cannot use ADMT version 2.0 to migrate SID history for built-in GLOBAL groups such as Domain Admins or the Domain users group, you can migrate the SID history by using either of the following methods:
 * Use a third-party tool such as NetIQ.
 * Use the Sidhist.vbs Visual Basic script that is included with the ClonePrincipal Windows Server 2003 Support Tool.



CAUSE
This issue occurs if the following conditions are true:
 * The access token of a security principal from a trusted domain passes a SID that matches a SID in the local domain.
 * That SID is the SID of a built-in group.

In this scenario, Windows Server 2003 removes this SID from the access token. This SID removal is known as SID filtering. In a migration scenario where the source domain is a Windows Server 2003 domain, users from a trusted domain cannot access resources in that source domain if those resources have only the following access control entries (ACLs) defined:

\



MORE INFORMATION
Built-in groups are also known as &quot;well-known&quot; groups.

For more information about migrating accounts while you are using SID history, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/044de91e-0cdf-480e-83e6-3be53f3cfb781033.mspx

For more information about migrating accounts without using SID history, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/cea85aee-f4bb-4b2d-b457-97cb118da7251033.mspx

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Additional query words: sidhist share forest trust acl

Keywords: kbenv kberrmsg kbhowto kbinfo KB893191

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.