After a successful migration you have to remove Foreign Security Principals from the domain local groups.
This article is all about a simple task that turned out to be a challenge:
Basics of Foreign Security Principals (FSP)
First you make a trust between two domains or two forests. Second you can access the resources from both of them. This requires the right permissions .
You create a Foreign Security Principal object in the trusting domain:
- You have a user account of the trusted domain
- This becomes a member of a domain local group of the trusting domain
So the FSP object becomes member of the domain local group.
FSPs will be saved in a container reading “ForeignSecurityPrincipals”
(you can only see this if you activated the user’s”advanced features” and the Snap-In of the computer).
You construct these FSP objects like this:
Orange is part of the domain SID
Rot is the RID of objects
Deleting the FSPs
After the migration most of the objects became part of the domain local group on the target domain. Usually you should delete them. A PowerShell script can do the task fairly easily. You can also check whether it is a FSP. You have to look at the value of the „MemberOf” attribute of the groups. There is only the Distinguished Name (DN) of the Foreign Security Principal. Like you have seen in the code above. If you have more than one trusted domain you have to check for the source of the FSP. It has to be the correct source domain. You find it out easily if you use a domain SID.
This methode seemed worth trying:
- Bind the group object with Get-ADGroup.
- Look through the “MemberOF” via ForEach loop.
- Check the domain SID.
- Delete unwanted FSP via Remove-ADGroupMember.
Despite lots of research and browsing Remover-ADGroupMember couldn’t remove the FSPs.
Remove-ADGroupMember fetch is as follows:
Remove-QADGroupMember [-Identity] <ADGroup> [-Members] <ADPrincipal>
The difficulty was Remove-ADGroupMember’s acceptance of object types. It recognizes only “User, Group und Computer” as ADPrincipal. It did not accept the object type “Foreign Security Principal” as an input parameter.
DELL (Quest) PowerShell cmdLets was the easy solution to apply.
The cmdLet Remove-QADGroupMember deletes FSPs from groups, if you bound the FSP to a variable beforehand:
$FSPobj=Get-QADObject "CN=S-1-5-21-123456789-123456789-1234567890-123456, CN=ForeignSecurityPrincipals,DC=domain,DC=com"
Remove-QADGroupMember -Identity <GroupName> -Member $FSPobj
Download the DELL (Quest) Active Directory cmdLets here:
Download ActiveRoles Management Shell for Active Directory 1.7