Thursday, July 21, 2011

Disable SID Filtering - Access is denied.

I went and attempted to disable SID Filtering over some trust links to prepare for SID History during domain migration using the following command:

netdom trust TrustingDomainName /domain: TrustedDomainName /quarantine:No /userD: domainadministratorAcct /passwordD: domainadminpwd

http://technet.microsoft.com/en-us/library/cc772816.aspx

When doing this I got the following error (click to enlarge):



After research I found the cause. “Network access: Allow anonymous SID/name translation” was set to disabled on the Trusted Domain. This this should be enabled on domain controllers – please see http://technet.microsoft.com/en-us/library/cc728431.aspx.

To disable SID Filtering you must Enable anonymous SID/name translation on your Default Domain Controllers GPO for the Trusted Domain.

I set it to enabled. This policy is located under:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\



After this the problem was resolved:



Note: Access is denied can also be caused if you use NetBIOS names instead of FQDN's for the domain names.
Posted by at
Labels: ,

5 comments:

  1. AnonymousJanuary 23, 2012 at 2:46 AM

    great post I run into the same issue but easily solved the problem thanks to your post.

    ReplyDelete
  2. AnonymousApril 25, 2012 at 5:57 AM

    Completely agree, great post!

    ReplyDelete
  3. UnknownJuly 5, 2012 at 11:28 PM

    Nice article..keep up the good work...
    Take this tip from me! Take a break during the weekends!
    Take a rest from your hard computer work and spend some quality time outdoors!


    portland data recovery

    ReplyDelete
  4. mahqDecember 24, 2012 at 8:01 PM

    Thank you very much!

    ReplyDelete
  5. AnonymousOctober 30, 2013 at 9:10 AM

    Great, thanks!

    ReplyDelete

Subscribe to: Post Comments (Atom)