Re: SID Filtering vs. SIDhistory

From: Rich Roller (rich_at_*REMOVE-THIS*r2c.com)
Date: 01/27/04 

Date: Tue, 27 Jan 2004 14:23:21 -0500

Yes you're right Eric. SIDhistory seems to be working fine and
yet SIDfiltering is active. And that's the puzzle.

Also, the trust *is* going to live for a little while, probably
longer than we all would like, for an Interop phase, exactly as
you surmised. So SIDhistory over the trusts *has* to work
reliably during this period.

Our hunch is to leave it as is (SIDfiltering active) just because
that's how we were testing (no one took the step of turing
SIDfiltering off for the trusts) and our tests have generally been
positive. Make sense? That what you would do?

The only hesitation is all that I've seen written, including the
trust wizard itself, seems to say that SIDfiltering can break
SIDhistory which is why I'm a bit perplexed. Still if it seems to
work in our case, maybe we should just assume it *is* working and
proceed with our real migration. We certainly don't have extra
time on our hands... the deadline is looming.

I appreciate all of your time/advice on this.

-Rich

p.s. I'm not really interested in delving into the inner trust
attributes with LDIF.

"Eric Fleischman [MSFT]" <efleis@online.microsoft.com> wrote in
message news:OV7tgNO5DHA.504@TK2MSFTNGP11.phx.gbl...
> Actually it sounded like Rich was saying the opposite. IE I am
using sid
> history and sid filtering, yet sid history appears to be working
and I
> anticipated it should not be. Correct me if I'm wrong here Rich.
>
> ~Eric
>
> --
> Eric Fleischman [MSFT]
> This posting is provided "AS IS" with no warranties, and confers
no rights
> Use of included script samples are subject to the terms
specified at
> http://www.microsoft.com/info/cpyright.htm
>
>
> "Laura A. Robinson [MVP]" <geekwench@snippit.hotmail.com> wrote
in message
> news:MPG.1a7fb5ba380ba9c398a9e0@msnews.microsoft.com...
> > circa Mon, 26 Jan 2004 21:19:59 -0600, in
> > microsoft.public.windows.server.security, Eric Fleischman
[MSFT]
> > (efleis@online.microsoft.com) said,
> > > 2) Why does it seem that sid filtering isn't working?
> > >
> > It doesn't. He said that it *is* working, and he's wondering
why. :-)
> >
> > Laura
>
>

Relevant Pages

  • Re: Trust Fails and Restored, now ACL has to be reassign
    ... These don't go away unless you remove them, but if you have other admins on your network with that capability, you'll want to verify this. ... If the SIDHistory is still there, then I would want to look at the trust to make sure that SID Filtering is turned off and that the Trust is fully functional. ...
    (microsoft.public.win2000.networking)
  • Re: Merge networks
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... Setup trusts (if an external trust is configured and sidhistory is ... Translate security of the data/resources from source ... SID filtering is ALWAYS configured on the outgoing part of a trust! ...
    (microsoft.public.windows.server.active_directory)
  • Re: Merge networks
    ... This posting is provided "AS IS" with no warranties, ... Setup trusts (if an external trust is configured and sidhistory is ... Translate security of the data/resources from source security ... SID filtering is ALWAYS configured on the outgoing part of a trust! ...
    (microsoft.public.windows.server.active_directory)
  • Re: W2k3 AD migration to W2k3 AD - HELP HELP!!
    ... Setup trusts (if an external trust is configured and sidhistory is used, ... Install and configure migration tooling ... Translate security of the data/resources from source security ...
    (microsoft.public.windows.server.migration)
  • Re: Merge networks
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... Setup trusts (if an external trust is configured and sidhistory is ... Translate security of the data/resources from source security ... SID filtering is ALWAYS configured on the outgoing part of a trust! ...
    (microsoft.public.windows.server.active_directory)