Does anyone know of a PowerShell script to document Active Directory foreign security principals such as what domain the FSP is from, group memberships, is the FSP orphaned?
Thanks,
Marty
I think the AD module can handle most, if not all, of this:
# Get a list of FSPs
Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" }
# The .NET Framework should be able to translate any that aren't orphaned:
Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" } | ForEach-Object {
([System.Security.Principal.SecurityIdentifier] $_.Name).Translate([System.Security.Principal.NTAccount])
}
# You can also get the groups and whether or not the FSP is orphaned (this
# assumes that a translation error means that the object is orphaned; that
# might not always be the case):
Get-ADObject -Filter { objectClass -eq "foreignSecurityPrincipal" } -Properties memberof | ForEach-Object {
$Orphaned = $false
$TranslatedName = $null
try {
$TranslatedName = ([System.Security.Principal.SecurityIdentifier] $_.Name).Translate([System.Security.Principal.NTAccount])
}
catch {
$Orphaned = $true
}
New-Object PSObject -Property @{
Name = $_.Name
TranslatedName = $TranslatedName
Orphaned = $Orphaned
Groups = $_.MemberOf | Get-ADGroup #| select -ExpandProperty Name
}
}
If you don’t have the AD module, you can still do this, it’ll just take a little more work.
Is this what you were looking for?