Searching for the user michael@mycontoso.com
with the objectSid S-1-5-21-1234567890-123465789-123456789-123456
, I only find a Foreign Security Prin
Sadly FSP don't contain the LDAP path of the referenced object. (if it contain one, then it needs to be replicated once the object is rename/moved)
There seems no easy way to get back the containing AD using the SID from foreign forest.
If in local forest you may do it by binding to LDAP://
.
A not-so-easy way is to build a domain SID to domain map.
Walk through each domain in trusted forests and build the map using the script here (the "The Script Solution" section).
https://docs.microsoft.com/en-us/archive/blogs/ashleymcglone/powershell-sid-walker-texas-ranger-part-3-exporting-domain-sids-and-trusts
SID of security principals are in the form of
.
e.g. domain SID of S-1-5-21-1234567890-123465789-123456789-123456
is S-1-5-21-1234567890-123465789-123456789
.
By extracting the domain SID (if in .NET you can do it by using SecurityIdentifier
class and the AccountDomainSid
property) and the map then you can find out the containing domain.