Author Posts

August 5, 2014 at 8:38 am

Does anyone know of a PowerShell script to document Active Directory foreign security principals such as what domain the FSP is from, group memberships, is the FSP orphaned?

Thanks,
Marty

August 6, 2014 at 7:03 pm

I think the AD module can handle most, if not all, of this:

# Get a list of FSPs
Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" }

# The .NET Framework should be able to translate any that aren't orphaned:
Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" } | ForEach-Object {
	([System.Security.Principal.SecurityIdentifier] $_.Name).Translate([System.Security.Principal.NTAccount])
}

# You can also get the groups and whether or not the FSP is orphaned (this 
# assumes that a translation error means that the object is orphaned; that 
# might not always be the case):
Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" } -Properties memberof | ForEach-Object {
    
    $Orphaned = $false
    $TranslatedName = $null
    try {
        $TranslatedName = ([System.Security.Principal.SecurityIdentifier] $_.Name).Translate([System.Security.Principal.NTAccount])
    }
    catch {
        $Orphaned = $true
    }

    New-Object PSObject -Property @{
        Name = $_.Name
        TranslatedName = $TranslatedName
        Orphaned = $Orphaned
        Groups = $_.MemberOf | Get-ADGroup #| select -ExpandProperty Name
    }
}

If you don't have the AD module, you can still do this, it'll just take a little more work.

Is this what you were looking for?