ForeignsecurityPrincipals Cleanup

[Guest]

I'm trying to find information on cleanup of ForeignSecurityPrincipals prior
to a 2000 to 2003 AD migration.

Are entries in the ForeignSecurityPrincipals container self maintaining? If
so, at what point do these objects get deleted automatically? Are they
removed if a trust is broken for the domain that the object is linked to?
What are the consequences if ForeignSecurityPrincipals objects are deleted?
Will they re-create themselves as needed?

The only information I'm seeing is "don't mess with them", but that's about
it. There seems to be a black hole of information surrounding these objects.
If there is a source of more detailed info on these objects, I'd love to be
referred to it.

Thanks!
-Bozford

 

[Tim Springston [MS]]

Hi Bozford-

Foreignsecurityprincipals are created as users from trusted domains are aded
to security groups in the domain. The act of adding them to that group
should readd them I would think but I have not tested it.

These objects contain the security ID (SID) of the trusted user object from
the other domain(s). Deleting the foreignsecurityprincipal object which
exists for a trusted user principal could break that user's group membership
functionality in the trusting domain.

Here's some additional information:

http://www.microsoft.com/resources/...v/2003/all/techref/en-us/w2k3tr_adstr_how.asp

ForeignSecurityPrincipals Proxy objects for security principals that are
from Windows NT 4.0 domains or Windows NT 3.51 domains, or that are from
different forests, and that have been added to Windows 2000 or Windows
Server 2003 groups.

From the Windows 2000 Resource Kit:
Group Members from External Domains
If you add a member of a trusted domain from a different forest to a group
in your domain, Samsrv.dll creates a placeholder object of the class
foreignSecurityPrincipal. This object represents the real object, about
which Active Directory has no information because the object exists in a
different forest. When you list the members of a group, Active Directory
usually lists the distinguished names of the group members. For a member
that is from an external domain, Active Directory displays the distinguished
name of the foreign security principal object in the form of a NetBIOS name.

Please repost if you have additional questions or concerns.

 

[Guest]

Excellent info, thank you VERY much.

The one part I'm still missing is this:
Do they get cleaned up automatically when the group membership is removed or
the trust is broken?

Thanks again!
-Bozford

 

[Guest]

bump

:

The one part I'm still missing is this:
Do they get cleaned up automatically when the group membership is removed or
the trust is broken?

Thanks again!
-Bozford

 

[ptwilliams]

Going out on a limb here...but...I'd say that they auto-cleanup when group
membership is removed. Although if you break a trust, that may not.
That'll probably depend on the mechanism you use...

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
bump

: