Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. You can't use the Active Directory shadow principal groups feature for groups that are always filtered out in Windows

You can't use the Active Directory shadow principal groups feature for groups that are always filtered out in Windows

View products that this article applies to.

Symptoms

A Windows Server 2012 R2 domain controller that receives an incoming Kerberos ticket-granting ticket (TGT) from across a forest trust boundary would always filter out of the PAC all group SIDs representing well-known accounts that have low-number RIDs in its domain, such as the SID of the "Domain Admins" group in its domain. This issue occurs when a domain controller is in another forest and at the Windows Server 2016 Technical Preview functional level and that forest holds a shadow principal group that has a SID representing a well-known account. 

↑ Back to the top

Resolution

To fix this issue, install May 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2.

Note This update adds the new trust flag TRUST_ATTRIBUTE_PIM_TRUST to Windows Server 2012 R2 domain controllers. The ticket enables those domain controllers to recognize the Kerberos tickets coming from the bastion forest. After you install this update, the domain controller will allow this flag to be set on the trustAttributes attribute of a trusted domain object in its system container, and the domain controller will interpret the groups when it performs SID filtering.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

References

Learn about the terminology that Microsoft uses to describe software updates.

↑ Back to the top

Keywords: kbqfe, kbsurveynew, kbfix, kbexpertiseadvanced, kb

↑ Back to the top

Article Info
Article ID : 3155495
Revision : 1
Created on : 1/7/2017
Published on : 5/18/2016
Exists online : False
Views : 184