Foreign Security Principals

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of Rohn Edwards Rohn Edwards 2 years, 4 months ago.

  • Author
    Posts
  • #17791
    Profile photo of Marty
    Marty
    Participant

    Does anyone know of a PowerShell script to document Active Directory foreign security principals such as what domain the FSP is from, group memberships, is the FSP orphaned?

    Thanks,
    Marty

  • #17836
    Profile photo of Rohn Edwards
    Rohn Edwards
    Participant

    I think the AD module can handle most, if not all, of this:

    # Get a list of FSPs
    Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" }
    
    # The .NET Framework should be able to translate any that aren't orphaned:
    Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" } | ForEach-Object {
    	([System.Security.Principal.SecurityIdentifier] $_.Name).Translate([System.Security.Principal.NTAccount])
    }
    
    # You can also get the groups and whether or not the FSP is orphaned (this 
    # assumes that a translation error means that the object is orphaned; that 
    # might not always be the case):
    Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" } -Properties memberof | ForEach-Object {
        
        $Orphaned = $false
        $TranslatedName = $null
        try {
            $TranslatedName = ([System.Security.Principal.SecurityIdentifier] $_.Name).Translate([System.Security.Principal.NTAccount])
        }
        catch {
            $Orphaned = $true
        }
    
        New-Object PSObject -Property @{
            Name = $_.Name
            TranslatedName = $TranslatedName
            Orphaned = $Orphaned
            Groups = $_.MemberOf | Get-ADGroup #| select -ExpandProperty Name
        }
    }
    

    If you don't have the AD module, you can still do this, it'll just take a little more work.

    Is this what you were looking for?

You must be logged in to reply to this topic.