Wednesday, January 5, 2011

Dealing with the foreignSecurityPrincipal Object Class

If you run multiple forests in your Active Directory environment, you may grant trust between forests allowing you to populate groups or assign permissions with accounts from the trusted forest. If you are enumerating those groups or auditing those permissions using PowerShell, you will find that you will need to translate the foreignSecurityPrincipal object class returned by the trusting forest group or security descriptor. Below is a quick code sample how to obtain enough information to query the trusted domain for detailed information about the trusted object. Knowing the domain and sAMAccountName, one should be able to perform an ADSI search in the trusted forest.
$securityPrincipalObject = New-Object System.Security.Principal.SecurityIdentifier($
($domain, $sAMAccountName) = ($securityPrincipalObject.Translate([System.Security.Principal.NTAccount]).value).Split("\")

No comments:

Post a Comment