24 December, 2010

SID History & SID Filtering

Security Identifier
Every object in an Active Directory has a SID
The SID of the object changes when we delete or migrate an object

An administrator will add a user account on a printer and grant ACL to that User but Active Directory Will view that User as a SID will will grant ACL to that SID and not to a User Name. So what happens when we migrate this user to another domain as stated earlier that migration causes the change in the SID. So does the user looses his access on to that Printer after the migration?

The answer is "SID History"

SID History: The ability of Active Directory to retain the old SID when the object is migrated so that the permissions granted to that object in the old domain from where the object has been migrated is not lost
In simple terms, SID History is to carry your old SID along with into a new domain. After the migration, the object will now have an old SID (From Old Domain) and a new SID (From New Domain)

By default SID History is NOT Enabled, We have to enable SID History manually by running a command

To view if SID History is Enabled/Disabled:

To Enable SID History:

SID Filtering
Enabled automatically on External Trust
Use to filter out SID of the other domains to enhance security

To view if SID Filtering is Enabled/Disabled:

To Disable SID Filtering: