Accessing Foreign Security Principals

后端 未结 2 1546
灰色年华
灰色年华 2021-01-15 01:06

Searching for the user michael@mycontoso.com with the objectSid S-1-5-21-1234567890-123465789-123456789-123456, I only find a Foreign Security Prin

2条回答
  •  执念已碎
    2021-01-15 02:05

    Sadly FSP don't contain the LDAP path of the referenced object. (if it contain one, then it needs to be replicated once the object is rename/moved)

    There seems no easy way to get back the containing AD using the SID from foreign forest. If in local forest you may do it by binding to LDAP://.

    A not-so-easy way is to build a domain SID to domain map.
    Walk through each domain in trusted forests and build the map using the script here (the "The Script Solution" section).

    https://docs.microsoft.com/en-us/archive/blogs/ashleymcglone/powershell-sid-walker-texas-ranger-part-3-exporting-domain-sids-and-trusts

    SID of security principals are in the form of -.
    e.g. domain SID of S-1-5-21-1234567890-123465789-123456789-123456 is S-1-5-21-1234567890-123465789-123456789.

    By extracting the domain SID (if in .NET you can do it by using SecurityIdentifier class and the AccountDomainSid property) and the map then you can find out the containing domain.

提交回复
热议问题