Do you have a sample event from this - something from the wild? I'm curious if this event really exists.
Also, if it does exist, what server would we see it on? I would think SID filtering is a domain-level event, but having it in the logon/logoff policy (instead of Account Logon Policy) confuses me. After all; assigning SIDs to a logon token is part of MS's little loop in Kerberos, and users don't produce logon/logoff events on a DC when connecting to a workstation or member server.
Thanks for any help!
<13>Feb 16 10:34:27 192.168.255.64 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=1.0.14 Source=Microsoft-Windows-Security-Auditing Computer=XXXXX.XXXXX.NET User= Domain= EventID=4675 EventIDCode=4675 EventType=16 EventCategory=12544 RecordNumber=23065964 TimeGenerated=1329406463 TimeWritten=1329406463 Message=SIDs were filtered. Target Account: Security ID: XX\username Account Name: - Account Domain: - Trust Information: Trust Direction: 2 Trust Attributes: 8 Trust Type: 2 TDO Domain SID: HH Filtered SIDs: XX\Domain Users
<13>Feb 16 10:33:06 192.168.255.64 AgentDevice=WindowsLog AgentLogFile=Security PluginVersion=1.0.14 Source=Microsoft-Windows-Security-Auditing Computer=XXXXX.XXXXX.NET User= Domain= EventID=4675 EventIDCode=4675 EventType=16 EventCategory=12544 RecordNumber=23065938 TimeGenerated=1329406383 TimeWritten=1329406383 Message=SIDs were filtered. Target Account: Security ID: XX\username Account Name: - Account Domain: - Trust Information: Trust Direction: 2 Trust Attributes: 8 Trust Type: 2 TDO Domain SID: HH Filtered SIDs: XX\Domain Users