How to Resolve Foreign Security Principals in PowerShell

Learn how to resolve foreign security principals in PowerShell when retrieving users of a local group. This article explains the problem and the solution with examples and references.

If you are working with Active Directory groups in PowerShell, you may encounter a situation where some of the group members are not from the same domain as the group. These members are called foreign security principals (FSPs), and they are represented by their security identifiers (SIDs) in the format of S-1-5-21-… instead of their names or account names. This can make it difficult to identify who these members are and what domain they belong to.

In this article, we will show you how to resolve foreign security principals in PowerShell when retrieving users of a local group. We will explain what FSPs are, why they occur, and how to translate them to their corresponding names and domains. We will also provide some examples and references for further reading.

What are Foreign Security Principals?

Foreign security principals are objects that represent security principals from another domain or forest. They are created when a security principal from one domain is added to a group in another domain. For example, if you have a user from domain A and add them to a group in domain B, a foreign security principal object will be created in domain B to represent the user from domain A.

Foreign security principals have the following characteristics:

• They have the object class of foreignSecurityPrincipal.
• They have the name attribute set to the SID of the security principal they represent.
• They have the objectSid attribute set to the same SID as the name attribute.
• They do not have any other attributes, such as displayName, sAMAccountName, or userPrincipalName.

Why do Foreign Security Principals Occur?

Foreign security principals occur because of the way Active Directory handles group membership across domains and forests. When a security principal from one domain is added to a group in another domain, Active Directory does not store the full information about the security principal in the group. Instead, it stores only the SID of the security principal, which is unique and immutable across domains and forests. This way, Active Directory can ensure that the group membership is consistent and secure, regardless of any changes in the security principal’s name, account name, or domain.

However, this also means that when you query the group membership in PowerShell, you will see only the SIDs of the foreign security principals, not their names or account names. This can make it hard to identify who these members are and what domain they belong to.

How to Resolve Foreign Security Principals in PowerShell?

To resolve foreign security principals in PowerShell, you need to do two things:

Step 1: Find out the DNS name of the domain that the foreign security principal belongs to.

To find out the DNS name of the domain, you can use the following methods:

Method 1: Use the Get-ADTrust cmdlet to get the trust relationships between your domain and other domains. Then, compare the SID of the foreign security principal with the securityIdentifier attribute of the trust objects to find the matching domain. For example:

# Get the trust objects for the current domain
$trusts = Get-ADTrust -Filter *

# Get the SID of the foreign security principal
$fspSid = "S-1-5-21-1111111111-1111111111-1111111111-1111"

# Loop through the trust objects and find the matching domain
foreach ($trust in $trusts) {
  # Get the SID of the trusted domain
  $trustSid = $trust.securityIdentifier.Value
  # Check if the FSP SID starts with the trust SID
  if ($fspSid.StartsWith($trustSid)) {
    # Get the DNS name of the trusted domain
    $domainDns = $trust.TargetName
    # Break the loop
    break
  }
}

# Output the DNS name of the domain
$domainDns

Method 2: Use the [System.DirectoryServices.ActiveDirectory.Forest] class to get the current forest object and its domains. Then, loop through the domains and use the GetDirectoryEntry() method to get the domain SID. Compare the SID of the foreign security principal with the domain SID to find the matching domain. For example:

# Get the current forest object
$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

# Get the SID of the foreign security principal
$fspSid = "S-1-5-21-1111111111-1111111111-1111111111-1111"

# Loop through the domains in the forest
foreach ($domain in $forest.Domains) {
  # Get the domain SID
  $domainSid = $domain.GetDirectoryEntry().objectSid.Value
  # Check if the FSP SID starts with the domain SID
  if ($fspSid.StartsWith($domainSid)) {
    # Get the DNS name of the domain
    $domainDns = $domain.Name
    # Break the loop
    break
  }
}

# Output the DNS name of the domain
$domainDns

Step 2: Bind to the foreign security principal object using the SID and the DNS name of the domain.

To bind to the foreign security principal object using the SID and the DNS name of the domain, you can use the [ADSI] type accelerator and the LDAP syntax. For example:

# Get the SID of the foreign security principal
$fspSid = "S-1-5-21-1111111111-1111111111-1111111111-1111"

# Get the DNS name of the domain
$domainDns = "example.com"

# Bind to the foreign security principal object using the SID and the DNS name
$fsp = [ADSI]"LDAP://$domainDns/<SID=$fspSid>"

# Output the distinguishedName of the foreign security principal object
$fsp.distinguishedName

Alternatively, you can use the [System.Security.Principal.SecurityIdentifier] class to translate the SID of the foreign security principal to the NTAccount name, which includes the domain name and the account name. For example:

# Get the SID of the foreign security principal
$fspSid = "S-1-5-21-1111111111-1111111111-1111111111-1111"

# Create a SecurityIdentifier object from the SID
$fspSidObj = New-Object System.Security.Principal.SecurityIdentifier($fspSid)

# Translate the SID to the NTAccount name
$fspName = $fspSidObj.Translate([System.Security.Principal.NTAccount]).Value

# Output the NTAccount name of the foreign security principal
$fspName

Frequently Asked Questions (FAQs)

Question: What is a foreign security principal?

Answer: A foreign security principal is an object that represents a security principal from another domain or forest. It has the object class of foreignSecurityPrincipal and the name attribute set to the SID of the security principal it represents.

Question: Why do foreign security principals occur?

Answer: Foreign security principals occur because of the way Active Directory handles group membership across domains and forests. When a security principal from one domain is added to a group in another domain, Active Directory stores only the SID of the security principal in the group, not the full information.

Question: How to resolve foreign security principals in PowerShell?

Answer: To resolve foreign security principals in PowerShell, you need to find out the DNS name of the domain that the foreign security principal belongs to, and then bind to the foreign security principal object using the SID and the DNS name of the domain. Alternatively, you can translate the SID of the foreign security principal to the NTAccount name, which includes the domain name and the account name.

Summary

In this article, we have learned how to resolve foreign security principals in PowerShell when retrieving users of a local group. We have explained what FSPs are, why they occur, and how to translate them to their corresponding names and domains. We have also provided some examples and references for further reading. We hope this article has been helpful and informative for you. If you have any questions or feedback, please feel free to leave a comment below. Thank you for reading.