Microsoft KB Archive/939089

= Error message when you try to access shared resources on an Active Directory trusting domain: &quot;Access is denied&quot; =

Article ID: 939089

Article Last Modified on 12/12/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows 2000 Server

-



SYMPTOMS
You have set an external trust relationship between Active Directory domains. Later, you use the Active Directory Migration Tool (ADMT) to migrate accounts between domains. You migrate both user accounts and group accounts together with the security ID (SID) history. When you use these accounts to try to access shared resources on the trusting domain, you receive the following error message:

Access is denied.

Note You receive this error message even though the accounts have the correct NTFS and share permissions set on the shared resources. You can successfully access shared resources that have the access permission set for the Authenticated Users group.



CAUSE
This problem may occur if the following conditions are true:
 * SID filtering is disabled in the trusted domain.
 * SID filtering is enabled in the trusting domain.



RESOLUTION
To resolve this problem, use the Netdom command-line tool to disable SID filtering in the trusting domain. The Netdom command-line tool is included in the Windows Support Tools package.

To disable SID filtering, follow these steps:  Log on to a domain controller in the trusting domain by using an account that has domain administrator rights. Click Start, click Run, type cmd, and then click OK. If the domain controller is running Windows Server 2003, type the following command at a command prompt, and then press ENTER.

NETDOM TRUST Trusting_Domain /Domain:Trusted_Domain /Quarantine:NO

If the domain controller is running Windows 2000, type the following command at a command prompt, and then press ENTER:

Netdom trust  /D:  /UD: \Administrator /PD:   /UO: \Administrator /PO:  /filtersids:no

Notes  The  placeholder represents the Windows 2000-based domain. The  placeholder represents the Windows Server 2003-based domain. The /UD: \Administrator parameter represents the administrator account to connect to the trusted domain. The /UO: \Administrator parameter represents the administrator account to connect to the trusting domain.</li></ul> </li> Type exit, and then press ENTER.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
For information about how to download the Windows Server 2003 SP2 Support Tools package, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939B-9A772EA2DF90&displaylang=en

For information about how to download the Windows 2000 Service Pack 4 Support Tools package, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=f08d28f3-b835-4847-b810-bb6539362473&displaylang=en

For more information about a similar problem, click the following article number to view the article in the Microsoft Knowledge Base:

893191 The security IDs for built-in domain groups are filtered in Windows Server 2003

Keywords: kbexpertiseinter kbtshoot kbprb KB939089

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.