diff --git a/libcli/security/dom_sid.c b/libcli/security/dom_sid.c
index 2f80a36..31e3f4e 100644
--- a/libcli/security/dom_sid.c
+++ b/libcli/security/dom_sid.c
@@ -109,6 +109,10 @@ int dom_sid_compare_domain(const struct dom_sid *sid1,
 
        n = MIN(sid1->num_auths, sid2->num_auths);
 
+       /* for comparing full sid+rid */
+       if (n == 5)
+               n--;
+
        for (i = n-1; i >= 0; --i)
                if (sid1->sub_auths[i] != sid2->sub_auths[i])
                        return sid1->sub_auths[i] - sid2->sub_auths[i];
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 3099ff0..c62ed77 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -976,6 +976,14 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
                if (sid_check_is_in_builtin(&sids[i])) {
                        continue;
                }
+               /* ignore any possible sIDHistory entries */
+               if (!lp_allow_trusted_domains() &&
+                   dom_sid_compare_domain(sid, &sids[i])) {
+                       DEBUG(10,("ads lookup_usergroups ignoring "
+                                 "%s: outside of the trusted domain\n",
+                                 sid_string_dbg(&sids[i])));
+                       continue;
+               }
 
                status = add_sid_to_array_unique(mem_ctx, &sids[i],
                                                 user_sids, &num_groups);