cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Trying to resolve foreignsecurityprincipal information

PeterJoInobits
Brass Contributor

‎May 17 2022 09:55 AM

‎May 17 2022 09:55 AM

Trying to resolve foreignsecurityprincipal information

Hi all

I'm trying to help a customer unpack some very large groups ie membercount>5000 and some of the members are groups and some are users and to add to the complexity some of the members are foreign security principals from other domains and forests.

 

I've come up with some thing that works but not completely and is very messy.

 

Is there a way in Powershell, using the AD Module cmdlets, to retrieve the information of a greignsecurityprincipal assuming the trust the domain in question still exists. 

 

I've cobbled together something that but I was wondering if there is a more elegant approach. 

 

I came across some information about the Translate method but I've not been able to figure that one out yet.. 

 

I find the syntax a bit arcane to be honest.. 

Any help would be appreciated

3,299 Views
0 Likes
1 Reply
Reply
1 Reply
LainRobertson

‎May 17 2022 05:36 PM - edited ‎May 17 2022 06:57 PM

‎May 17 2022 05:36 PM - edited ‎May 17 2022 06:57 PM

Re: Trying to resolve foreignsecurityprincipal information

@PeterJoInobits 

 

Hi, Peter.

 

Here's a basic example involving the foreignSecurityPrincipal class and .Translate() method.

 

I don't use the ActiveDirectory module much though since it limits portability, so it's calling .NET directly from PowerShell.

 

You should be able to customise it to fit your needs.

 

([adsisearcher]::new("(objectClass=foreignSecurityPrincipal)", @("objectSid"))).FindAll() |
    ForEach-Object {
        $Sid = [System.Security.Principal.SecurityIdentifier]::new($_.Properties["objectSid"][0], 0); $Sid | Select-Object -Property Value, @{n="Name"; e= { $Sid.Translate([System.Security.Principal.NTAccount]) } };
    }

 

 

Assuming you're targeting classes that contains the objectSid attribute (only security principals contain an objectSid) then it returns output like the following:

 

LainRobertson_0-1652834146651.png

 

Cheers,

Lain

 

Edited for spelling corrections.

0 Likes
Reply