Not
sure where its written, but essentially the authenticating DC merges the SIDs
contained in the sIDHistory attribute, along with the SIDs of the groups the
principal is a member of, into the security token for the authenticating
process. When Windows does an access check, the evaluation compares all the SIDs
in the process' token to the SIDs of each ACE in the ACL. This means that the
user will be granted access to resources in domains where the SIDs in his
sIDHistory are used to ACL the resources. I think you have to explicitly add old
group memberships to the sIDHistory, but I'm sure about
that.
You
might also check the KBs on SID filtering.
-gil
Gil Kirkpatrick
CTO, NetPro
-----Original Message-----
From: Kitchens Arthur E [mailto:[EMAIL PROTECTED]
Sent: Monday, July 21, 2003 11:45 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] SID historyMight anyone have any pointers to documentation on the specifics of how SID history actually works? Specifically how the old group participation (and resource ACL'ing) relates to the new account/sid when those resources are accessed (if it does at all). I've looked and have not found anything. TIA.
A. E. Kitchens
phone 904-301-3578
voice mail 904-665-0555
fax 904-301-3625
Atonally DO:RE:MI:FA:SO:LA:TI:DOIt is the greatest of all advantages to enjoy no advantage at all. -Henry David Thoreau, naturalist and author (1817-1862)
