SID History access is not working for Domain Admins or Domain Users. (NETIQKB42498)

fact
Domain Migration Administrator 7.x

fact
Microsoft Windows Server 2003

symptom
SID History access is not working for Domain Admins or Domain Users.

cause
This issue may be a result of the design of Windows 2003. By default, Windows 2003 installs with SID filtering enabled. SID filtering prevents authentication based on a SID from a trusted domain if that SID is not the primary SID of the account attempting to gain access. This can be disabled based on the specific trust object. However, even after disabling SID filtering, Domain Users and Domain Admins are not able to use SID history to access resources in a Windows 2003 domain. Access must be granted either to a different group that was migrated with SID history, or the actual user account itself. Windows 2003 does not appear to allow access based on SID history of Well Known accounts.

fix

To resolve this issue, consider the following solutions:

• Create a new group in the source domain that contains the same users as the Well Known group that you need to grant access. Replace the original Well Known group on all file and data permissions with the newly created source group. Migrate that group with SID history.
• Use the DMA Translate Security Settings wizard to Add the target Well Known groups to all ACLs that currently contain the source Well Known groups.

note

For more information, refer to the following Microsoft article:

The security IDs for built-in domain groups are filtered in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;893191

Formerly known as NETIQKB42498