Hi All,
We are working to test the security of Active Directory external trust. As per Microsoft TechNet articles if we disable SID history filtering then the Administrators in trusted Domain can misuse this by adding the SID of Administrator in Trusting Domain to its own SID History.
While testing this we have created 2 separate Forests on Windows 2016 servers, Created external trust between the forests, Disabled SID filtering on both Domains and enabled SIDHistory in both Domains, added the SID of one Domain Administrator to another Domain's administrator SID History. But when I am trying to access any resource on trusting Domain with the trusted domain ID it is failing. On checking the logs of Trusting Domain I have found the event ID 4675 for SID filtering of Domain Admin Account. When I perform the same activity on a standard users by providing standard access it works which means SID filtering is properly disabled and SID History is enabled.
I am not sure if there is any security feature in Windows 2016 where Domain Admin or well known SID's are always filtered irrespective of SID filtering settings.
If there is any such detail available please help me with that
Commands Used:
netdom trust<TrustingDomainName> /domain:<TrustedDomainName> /quarantine:no
netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /enablesidhistory:Yes