Processing ForeignSecurityPrincipal - powershell

DomainA and DomainB trust each other. Some DomainB users are members of DomainA local domain groups. How can I get ForeignSecurityPrincipal in PowerShell and get list of its groups?

That was surprisingly simple:
Get-ADObject -Filter {ObjectClass -eq "foreignSecurityPrincipal"} -Properties msds-principalname,memberof
where "msds-principalname" is sAMAccountName, so I can search now through FSPs by sAMAccountName and get its groups.

You can get the list of foreign security principals in a domain by running Get-ADObject cmdlet with SearchBase set to CN=ForeignSecurityPrincipals,DC=domain,DC=com and LDAPFilter to something acceptable, like (|(objectCategory=user)(objectCategory=group)). Then, you can use this script to get its domain\username. Then you query that domain for DCs via Get-ADDomain and Get-ADDomainController, get the user object from there and run Get-ADPrincipalGroupMembership in your current domain against the retrieved user. An example (untested, as I have no env with many domains):
$ldf='(|(objectCategory=user)(objectCategory=group))'
$fspc=(get-addomain).ForeignSecurityPrincipalsContainer
$fsps = get-adobject -ldapfilter $ldf -searchbase $fspc
# got principals here
foreach ($fsp in $fsps) {
$fspsid=New-Object System.Security.Principal.SecurityIdentifier($fsp.cn)
($fspdomain, $fspsam) = ($securityPrincipalObject.Translate([System.Security.Principal.NTAccount]).value).Split("\")
# ^ this can throw exceptions if there's no remote user, take care
$fspdc=(get-addomaincontroller -domainname $fspdomain -discover)[0] # taking first one
$fspuser=get-aduser $fspsam -server $fspdc.hostname # use crossdomain DNS to resolve the DC
$fspgroups=get-adprincipalgroupmembership $fspuser # local query
$fspgroups # now do whatever you need with them and the $fspuser
}

Related

Powershell deleting user in ADSI from outside LDAP domain

Our application allows the customer to authenticate to their own domain via Ldap but we keep a cached copy of those logons and accounts in "myserver" ADSI. Due to limitations with another part of our application I have a need to delete several thousand of those cached accounts from myserver ADSI
Keep in mind that this is NOT FOR MY DOMAIN but for the customer's domain. And no, I'm not trying to delete accounts in THEIR domain, just our cached copies in ADSI.
The following line of code does NOT throw an error but it also does NOT delete the acct (neither does piping it to "remove-aduser"
Get-ADObject -Server "myserver:3890" -SearchBase "CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentDirectory" -filter {name -eq "testuser"} | remove-adobject
Side note: I can query this tree of the default naming context just fine
Get-ADObject -Server "myserver:3890" -filter 'objectclass -like "*"' -SearchBase "CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentDirectory"
or I can use -ldapfilter switch to get pertinent info about a specific account.
It's a weird situation since I'm NOT dealing with accounts in my own domain. Many other variations on this theme throw errors referencing my own domain, partitions, etc. I've worked through all of those I think. The above examples SHOULD work in my opinion.
Final note: I CAN delete the user in the ADSIEDIT gui but as mentioned, they have given me a list of thousands of accts that need removing. There's gotta be a way?!
I figured it out (I’m feeding it a list of $users)
Get-ADObject -Server “myserver:3890” -SearchBase “CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentdirectoryDirectory” -Filter * | Where-Object {$_.name -eq “$user”} | Remove-ADObject -confirm:$false

How to run this script against another domain

I have the script below to give me the distinguished name for groups in a spreadsheet I have. The issue is, the groups are located in another domain. How do I point my script to that domain? Issue is I know I have to be logged in to that domain to run it but I cant.
$Groups = Get-Content -Path C:\Scripts\DistinguishedName.csv
ForEach ($Group in $Groups) {
Get-ADGroup -Identity $Group | Select-Object distinguishedName
}
The cmdlets in the Active Directory module support passing in the value of the domain controller you are wanting to query. By default when you call Get-ADGroup (or any of the other) it will validate what domain it should query by checking the domain of your current machine.
The other option is to provide the -Server (doc) with the value of the Active Directory Domain Services you want to execute your query against.
You can also provide the -Credential parameter with a PSCredential object that contains your login for that other domain. This is required if the current login of your PowerShell session is not authorized to authenticate against that other domain.
So your example script would look something like this:
$AdDomain = "whatever.company.local"
$adCred = Get-Credential
$Groups = Get-Content -Path C:\Scripts\DistinguishedName.csv
ForEach ($Group in $Groups) {
Get-ADGroup -Identity $Group -Server $AdDomain -Credential $adCred | Select-Object distinguishedName
}

Remove user from a group belonging to another AD

We have 3 Domains connected through a trust, and I need to remove a user from multiple groups, including some that are in those other Domains.
I can see all groups through the command:
(Get-ADGroup -Server $Domain -Filter *).SamAccountName
Receiving this information in a variable, where I make a FOREACH, to use in each group, the command:
Remove-ADGroupMember -Server $Domain -Identity "$group" -Members $User -Confirm:$false -Credential $Credential
But this does not work for when I need to remove a user who belongs to another domain.
I tried to pass the user with parameters like:
B\User
User ObjectGUID
User SID
But it does not work.
How do I remove a user belonging to domain B from a domain group A?
Remembering that there is a relationship of trust between them.

Remove AD-user in domain A from AD-group in domain B while my client is in domain C in PowerShell

Let's assume I have an AD-user in domain A which is in an AD-Group in domain B and my client is in domain C.
I want to remove the user from the group in PowerShell, but I really can't figure out how I can solve this problem using Remove-ADGroupMember or Remove-ADPrincipalGroupMembership since I can only pass one domain there.
I assume that domains A & B are not in the same forest, but are trusted.
The issue is that you're not removing a direct reference to the user: You're removing a Foreign Security Principal, which is an object on the same domain as the group that references the account in the trusted domain. I talk about this in a little more detail in an article I wrote: What makes a member a member?.
None of the PowerShell cmdlets seem to be able to handle these. But you can use .NET's DirectoryEntry class to do this. Here is an example ($username and $groupname are the names of the account and the group):
$u = Get-ADUser -Server domainA.com $username
#Get the Foreign Security Principal object for the user
$fsp = Get-ADObject -Server domainB.com -Filter "objectSid -eq '$($u.SID)'"
#Get the group
$g = Get-ADGroup -Server domainB.com $groupname
#Get a DirectoryEntry for the group (which is what the [ADSI] notation creates)
$group = [ADSI]"LDAP://domainB.com/$($g.DistinguishedName)"
#Remove the FSP from the group
$group.Properties["member"].Remove($fsp.DistinguishedName)
$group.CommitChanges()
You can use below cmdlet to remove foreign principal objects from groups
set-adgroup -remove #{member='cn=S1-5-blah-blah-blah'}
Steps:
get the DistinguishedName of foreign principal member
$mem = (get-ADGroup 'GroupName' -property members).members |where {$_ -like "CN=S-1-5-21-BLAHBLAH"}
set-ADGroup -remove #{member=$mem}
You can also use Set-ADgroup -clean member to empty group membership including foreign principal objects.

How To search for user across all domains?

I am writing a Powershell script to get password expiry for specific set of users. These users belongs to different domains (across the world) in our org.
I use Get-Aduser to get the do this. The script works only for users where the script is run from. So if the script is run from let's say US, the Get-AdUser finds only users from US.
How can I search across all domains?
I tried this
Get-AdUser -Server <GlobalCatalog> [...]
This does have the same result without -Server
Have you tried using the following:
Get-ADUser -Filter {(yourFilterCondition)} -SearchBase "" -Server X.Y.Z.W:3268 -Properties desiredProperties | select-object...
Setting SearchBase to "" is the key thing here. And, also try to perform the query on 3268 port for reading values from all domains.