SID History access is not working for Domain Admins or Domain Users. (NETIQKB42498)

  • 7742498
  • 02-Feb-2007
  • 23-May-2008


Domain Migration Administrator 7.x

Microsoft Windows Server 2003

SID History access is not working for Domain Admins or Domain Users.

This issue may be a result of the design of Windows 2003. By default, Windows 2003 installs with SID filtering enabled. SID filtering prevents authentication based on a SID from a trusted domain if that SID is not the primary SID of the account attempting to gain access. This can be disabled based on the specific trust object. However, even after disabling SID filtering, Domain Users and Domain Admins are not able to use SID history to access resources in a Windows 2003 domain. Access must be granted either to a different group that was migrated with SID history, or the actual user account itself. Windows 2003 does not appear to allow access based on SID history of Well Known accounts.


To resolve this issue, consider the following solutions:

  • Create a new group in the source domain that contains the same users as the Well Known group that you need to grant access. Replace the original Well Known group on all file and data permissions with the newly created source group. Migrate that group with SID history.
  • Use the DMA Translate Security Settings wizard to Add the target Well Known groups to all ACLs that currently contain the source Well Known groups.


For more information, refer to the following Microsoft article:

The security IDs for built-in domain groups are filtered in Windows Server 2003;en-us;893191

Additional Information

Formerly known as NETIQKB42498