The security IDs for built-in domain groups are filtered in Windows Server 2003

After you migrate a built-in domain group, such as the Domain Users group or the Domain Admins group, while you are using security ID (SID) history, you receive the following error message: This symptom occurs if the following conditions are true:

• You try to access a resource in a Microsoft Windows Server 2003 trusting domain.
• The resource that you try to access has permissions that are defined by using the built-in group that you migrated.

Note You cannot use the Active Directory Migration Tool (ADMT) version 2.0 to migrate SID history for built-in LOCAL groups or built-in domain global groups. Built-in LOCAL groups include the Administrators group, the Users group and the Power Users group. Built-in domain global groups include Domain Admins or Domain Users. The behavior with built-in domain local groups occurs because the built-in account SIDs are the same in every domain. Therefore, if you migrate these accounts to a destination domain, duplicate SIDs exist in the destination domain. However, while you cannot use ADMT version 2.0 to migrate SID history for built-in GLOBAL groups such as Domain Admins or the Domain users group, you can migrate the SID history by using either of the following methods:

• Use a third-party tool such as NetIQ.
• Use the Sidhist.vbs Visual Basic script that is included with the ClonePrincipal Windows Server 2003 Support Tool.

The SID filtering mechanism was changed between Microsoft Windows 2000 and Windows Server 2003. In Windows 2000, turning off SID filtering on a trust turns it off for all SIDs. In Windows Server 2003, SID filtering cannot be turned off for built-in groups, even if it is turned off on the trust.

This issue occurs if the following conditions are true:

• The access token of a security principal from a trusted domain passes a SID that matches a SID in the local domain.
• That SID is the SID of a built-in group.

In this scenario, Windows Server 2003 removes this SID from the access token. This SID removal is known as SID filtering. In a migration scenario where the source domain is a Windows Server 2003 domain, users from a trusted domain cannot access resources in that source domain if those resources have only the following access control entries (ACLs) defined: To use the SID history between domains, you must enable the SID filtering to allow for the trust between the source domain and the resource domain. If you disable the SID filtering for a trust, there are security implications that are described in Microsoft Security Bulletin MS02-001.

To reduce the security implications caused by disabling the SID filtering, the behavior of the SID filtering has changed between Windows 2000 Server and Windows Server 2003.

In Windows 2000 Server, the SID filtering functionality is either enabled or disabled for all SIDs on a particular trust. Additionally, the built-in group SIDs are not filtered when the SID filtering is disabled. In Windows Server 2003, the SID filtering can be enabled or disabled on specified trusts. However, the built-in SIDs from outside the domain are always filtered out.

Built-in groups are also known as "well-known" groups.

For more information about migrating accounts while you are using SID history, visit the following Microsoft Web site:For more information about migrating accounts without using SID history, visit the following Microsoft Web site:For more information about on the security implications of using the SID history for access control, visit the Microsoft Security Bulletin MS02-001 at the following Microsoft Web site: The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.