Foreign Security Principals

Welcome Forums General PowerShell Q&A Foreign Security Principals

Viewing 1 reply thread
  • Author
    • #17791
      Topics: 4
      Replies: 2
      Points: 0
      Rank: Member

      Does anyone know of a PowerShell script to document Active Directory foreign security principals such as what domain the FSP is from, group memberships, is the FSP orphaned?


    • #17836
      Topics: 0
      Replies: 79
      Points: 6
      Rank: Member

      I think the AD module can handle most, if not all, of this:

      # Get a list of FSPs
      Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" }
      # The .NET Framework should be able to translate any that aren't orphaned:
      Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" } | ForEach-Object {
      	([System.Security.Principal.SecurityIdentifier] $_.Name).Translate([System.Security.Principal.NTAccount])
      # You can also get the groups and whether or not the FSP is orphaned (this 
      # assumes that a translation error means that the object is orphaned; that 
      # might not always be the case):
      Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" } -Properties memberof | ForEach-Object {
          $Orphaned = $false
          $TranslatedName = $null
          try {
              $TranslatedName = ([System.Security.Principal.SecurityIdentifier] $_.Name).Translate([System.Security.Principal.NTAccount])
          catch {
              $Orphaned = $true
          New-Object PSObject -Property @{
              Name = $_.Name
              TranslatedName = $TranslatedName
              Orphaned = $Orphaned
              Groups = $_.MemberOf | Get-ADGroup #| select -ExpandProperty Name

      If you don’t have the AD module, you can still do this, it’ll just take a little more work.

      Is this what you were looking for?

Viewing 1 reply thread
  • The topic ‘Foreign Security Principals’ is closed to new replies.