Thursday, July 21, 2011

Disable SID Filtering - Access is denied.

I went and attempted to disable SID Filtering over some trust links to prepare for SID History during domain migration using the following command:

netdom trust TrustingDomainName /domain: TrustedDomainName /quarantine:No /userD: domainadministratorAcct /passwordD: domainadminpwd

When doing this I got the following error (click to enlarge):

After research I found the cause. “Network access: Allow anonymous SID/name translation” was set to disabled on the Trusted Domain. This this should be enabled on domain controllers – please see

To disable SID Filtering you must Enable anonymous SID/name translation on your Default Domain Controllers GPO for the Trusted Domain.

I set it to enabled. This policy is located under:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

After this the problem was resolved:

Note: Access is denied can also be caused if you use NetBIOS names instead of FQDN's for the domain names.


  1. great post I run into the same issue but easily solved the problem thanks to your post.

  2. Completely agree, great post!

  3. Nice article..keep up the good work...
    Take this tip from me! Take a break during the weekends!
    Take a rest from your hard computer work and spend some quality time outdoors!

    portland data recovery