Does anyone know of a PowerShell script to document Active Directory foreign security principals such as what domain the FSP is from, group memberships, is the FSP orphaned?
Thanks,
Marty
Does anyone know of a PowerShell script to document Active Directory foreign security principals such as what domain the FSP is from, group memberships, is the FSP orphaned?
Thanks,
Marty
I think the AD module can handle most, if not all, of this:
# Get a list of FSPs Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" } # The .NET Framework should be able to translate any that aren't orphaned: Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" } | ForEach-Object { ([System.Security.Principal.SecurityIdentifier] $_.Name).Translate([System.Security.Principal.NTAccount]) } # You can also get the groups and whether or not the FSP is orphaned (this # assumes that a translation error means that the object is orphaned; that # might not always be the case): Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" } -Properties memberof | ForEach-Object { $Orphaned = $false $TranslatedName = $null try { $TranslatedName = ([System.Security.Principal.SecurityIdentifier] $_.Name).Translate([System.Security.Principal.NTAccount]) } catch { $Orphaned = $true } New-Object PSObject -Property @{ Name = $_.Name TranslatedName = $TranslatedName Orphaned = $Orphaned Groups = $_.MemberOf | Get-ADGroup #| select -ExpandProperty Name } }
If you don’t have the AD module, you can still do this, it’ll just take a little more work.
Is this what you were looking for?