Accessing Foreign Security Principals

Question

Searching for the user [email protected] with the objectSid S-1-5-21-1234567890-123465789-123456789-123456, I only find a Foreign Security Principal CN=S-1-5-21-1234567890-123465789-123456789-123456,CN=ForeignSecurityPrincipals,DC=contoso,DC=com. That foreign security principal does not contain the properties I have to read, so I guess I have to access the "Home AD" of that FSP.

Does a FSP have a property that always contains the LDAP path of the user object? Is there a standardized/recommended way how to access the Home AD?

Answer 1

Sadly FSP don't contain the LDAP path of the referenced object. (if it contain one, then it needs to be replicated once the object is rename/moved)

There seems no easy way to get back the containing AD using the SID from foreign forest. If in local forest you may do it by binding to LDAP://<SID=S-1-xxxxx>.

A not-so-easy way is to build a domain SID to domain map.
Walk through each domain in trusted forests and build the map using the script here (the "The Script Solution" section).

https://learn.microsoft.com/en-us/archive/blogs/ashleymcglone/powershell-sid-walker-texas-ranger-part-3-exporting-domain-sids-and-trusts

SID of security principals are in the form of <domain SID>-<RID>.
e.g. domain SID of S-1-5-21-1234567890-123465789-123456789-123456 is S-1-5-21-1234567890-123465789-123456789.

By extracting the domain SID (if in .NET you can do it by using SecurityIdentifier class and the AccountDomainSid property) and the map then you can find out the containing domain.

Answer 2

You may try to retrieve the msDS-PrincipalName:

ldapsearch <options> -b "CN=ForeignSecurityPrincipals,DC=contoso,DC=com" "CN=S-1-5-21-1234567890-123465789-123456789-123456" msDS-PrincipalName

FOO\[email protected]

---

Otherwise, the approach is as https://stackoverflow.com/a/27038494/10408280 describes:

1. Retrieve Domain identifier from first part of SID
2. Perform a lookup against that domain for the SID of the user or by sAMAccountName