Accessing Foreign Security Principals

Question

Searching for the user michael@mycontoso.com with the objectSid S-1-5-21-1234567890-123465789-123456789-123456, I only find a Foreign Security Prin

Answer 1

You may try to retrieve the msDS-PrincipalName:

ldapsearch <options> -b "CN=ForeignSecurityPrincipals,DC=contoso,DC=com" "CN=S-1-5-21-1234567890-123465789-123456789-123456" msDS-PrincipalName

FOO\michael@mycontoso.com

---

Otherwise, the approach is as https://stackoverflow.com/a/27038494/10408280 describes:

1. Retrieve Domain identifier from first part of SID
2. Perform a lookup against that domain for the SID of the user or by sAMAccountName

Answer 2

Sadly FSP don't contain the LDAP path of the referenced object. (if it contain one, then it needs to be replicated once the object is rename/moved)

There seems no easy way to get back the containing AD using the SID from foreign forest. If in local forest you may do it by binding to LDAP://<SID=S-1-xxxxx>.

A not-so-easy way is to build a domain SID to domain map.
Walk through each domain in trusted forests and build the map using the script here (the "The Script Solution" section).

https://docs.microsoft.com/en-us/archive/blogs/ashleymcglone/powershell-sid-walker-texas-ranger-part-3-exporting-domain-sids-and-trusts

SID of security principals are in the form of <domain SID>-<RID>.
e.g. domain SID of S-1-5-21-1234567890-123465789-123456789-123456 is S-1-5-21-1234567890-123465789-123456789.

By extracting the domain SID (if in .NET you can do it by using SecurityIdentifier class and the AccountDomainSid property) and the map then you can find out the containing domain.