RE: [ActiveDir] Removing foreign accounts

[joe]

To expand a little...

 

An FSP is ONLY needed if you are referencing an object from a foreign domain in an attribute that takes DNs like the member attribute. You have to use a valid DN. The creation of an FSP gives a valid DN to be used.

 

Completely agree with the SID cleanup Guido mentions. Also the fact that if a domain is shutdown, there should be no harm in removing any FSPs referencing that domain.

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Friday, November 25, 2005 1:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Removing foreign accounts

FSPs are only created if you link a foreign account (from a trusted domain) to an object in AD, e.g. by means of adding him as a member to a domain local group - not when you assign permissions in AD to a foreign account (this will only store the object's SID in the ACL of the object).

 

The latter is a bitch to clean up - same as when you've deleted an AD account/group that was granted permissions anywhere. There is no useful solution I'm aware of that tackles this issue - you'd have to dump the ACLs and check for unresolved SIDs yourself and then do your homework.

 

But at least you will find all the memberships of the exernal accounts in the memberOf attribute of the FSP and should have no problem deleting them, esp. if the domain has been shutdown (be careful if you have setup trusts to multiple domains...)

 

/Guido

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Donnerstag, 24. November 2005 19:20
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Removing foreign accounts

just curious, How do we know, where that FSP is used in AD.

If FSP is member of any group we can find them using memberof attribure of FSP.

But, If that is not populated, it might be the case that, someone directly and stupidly gave that FSP some right somewhere.

How do we find that?

On 11/23/05, joe <[EMAIL PROTECTED]> wrote:

Go into the ForeignSecurityPrincipals container and delete all of the FSPs that exist from the old NT4 domain.

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ahmed Al-Awah
Sent: Tuesday, November 22, 2005 5:30 PM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Removing foreign accounts

Hello all,

Until recently we had two domains, a W2K domain and a WinNT4 domain. I've managed to finally shut down the Windows NT4 domain. However, given our previous setup and the trust relationships that existed between both domains I'm left with several users from the old domain in AD groups on our primary Windows 2K Domain.

I was wondering if anyone had a script that would remove users from a particular domain from another domain's groups (removing all NT4 accounts from the W2K domain groups)? The reason I'd like to do this is because everytime we attempt to access a group in AD with members from the previous domain we recieve an error stating that some of the names cannot be shown in user-friendly form which is primarily due to the fact that the previous domain has been shutdown. I've searched the MS Script Repository to no avail.

Any help is appreciated.

Cheers,
Ahmed

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~