1
00:00:01,140 --> 00:00:06,310
Another point you want to just remember for your AZ‑801 exam is SID filtering,

2
00:00:06,310 --> 00:00:09,240
or SID quarantine as it's sometimes called.

3
00:00:09,240 --> 00:00:12,310
As you can see in the screenshot at the right here we're looking at a

4
00:00:12,310 --> 00:00:15,940
particular Active Directory user account's properties.

5
00:00:15,940 --> 00:00:19,170
And when you're in advanced view, you can view the underlying

6
00:00:19,170 --> 00:00:22,730
schema attributes. And I want you to see, you probably already

7
00:00:22,730 --> 00:00:26,110
know this, that every object, every user, specifically, is

8
00:00:26,110 --> 00:00:27,610
going to have a security ID.

9
00:00:27,610 --> 00:00:30,590
When you migrate a user to a new forest,

10
00:00:30,590 --> 00:00:35,100
that object is going to have a new, brand‑new SID that's generated from

11
00:00:35,100 --> 00:00:38,140
the domain in which the user has been migrated to.

12
00:00:38,140 --> 00:00:42,980
We don't want those migrated user accounts to be susceptible to misuse,

13
00:00:42,980 --> 00:00:48,010
like forging their old user SID into high privilege groups in the new domain,

14
00:00:48,010 --> 00:00:51,490
so this involves what's called the SID history attributes.

15
00:00:51,490 --> 00:00:55,450
So in this example at the right, the migrated user has the,

16
00:00:55,450 --> 00:01:01,760
I'm just looking at the last two digits, 36 as their new migrated user SID.

17
00:01:01,760 --> 00:01:07,190
But if we're honoring SID history, their previous, prior to the migration,

18
00:01:07,190 --> 00:01:11,690
their user SID ended in 87, and we're maintaining that. By default,

19
00:01:11,690 --> 00:01:16,730
SID quarantine, or SID filtering, is enabled; in other words, by default,

20
00:01:16,730 --> 00:01:21,530
the SIDs are actually filtered out of the user attributes.

21
00:01:21,530 --> 00:01:23,230
I want you to just be aware of this.

22
00:01:23,230 --> 00:01:26,930
There may be edge cases where you do want to override that. You can

23
00:01:26,930 --> 00:01:31,330
configure SID filtering behavior using either Windows PowerShell or

24
00:01:31,330 --> 00:01:35,610
the Netdom compiled executable. It's just something that would be

25
00:01:35,610 --> 00:01:37,300
specific to your use case.

26
00:01:37,300 --> 00:01:40,470
Check the docs on it. The docs are definitely on the

27
00:01:40,470 --> 00:01:42,250
old side with this because, again,

28
00:01:42,250 --> 00:01:50,000
it's been something that's in Active Directory for a long time and really hasn't changed in the last several years.