joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Resolving Foreign Security Principals to SAM Names

by @ 4:33 pm on 9/15/2009. Filed under tech

This is probably obvious to some but thought I would write it up for those it wasn’t obvious for…

Sometimes when you look at a group in AD or ADAM, you see foreignSecurityPrincipal (FSP) objects in the membership. These aren’t generally, for most people anyway, quick to be resolved to friendly names so maybe you end up looking each one up individually which is slow and painful, especially if you have multiple.

So here is a quick example to help you when you hit this…

Say you have a group in ADAM that has membership that looks like

E:\>adfind -h . -b CN=Administrators,CN=Roles,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C} member

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: someadamserver.NorthAmerica.somecompany.net:389
Directory: Active Directory Application Mode

dn:CN=Administrators,CN=Roles,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-1511590266-3576895337-3233274463-6632,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-1511590266-3576895337-3233274463-519,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-1757981266-299502267-1801674531-239491,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-1757981266-299502267-1801674531-512,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-1757981266-299502267-1801674531-76732,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-507921405-813497703-1202660629-512,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>member: CN=S-1-5-21-1757981266-299502267-1801674531-96228,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}

1 Objects returned

 

GREAT! Thanks AdFind for telling me who is in the group… But wait, who exactly do those FSPs relate to? Two ways…

First using –ASQ

E:\>adfind -h . -b CN=Administrators,CN=Roles,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C} -asq member objectsid -resolvesids

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: someadamserver.NorthAmerica.somecompany.net:389
Directory: Active Directory Application Mode

dn:CN=S-1-5-21-1757981266-299502267-1801674531-96228,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\sitescope

dn:CN=S-1-5-21-507921405-813497703-1202660629-512,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: EUROPE\Domain Admins

dn:CN=S-1-5-21-1757981266-299502267-1801674531-76732,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\MMS_Search

dn:CN=S-1-5-21-1757981266-299502267-1801674531-512,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\Domain Admins

dn:CN=S-1-5-21-1757981266-299502267-1801674531-239491,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\so_jar

dn:CN=S-1-5-21-1511590266-3576895337-3233274463-519,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: ROOT\Enterprise Admins

dn:CN=S-1-5-21-1511590266-3576895337-3233274463-6632,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: ROOT\AdamAdmins

7 Objects returned

 

Next using the AdFind piped to AdFind functionality

E:\>adfind -h . -b CN=Administrators,CN=Roles,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C} member -qlist | adfind -h . objectsid -resolvesids

AdFind V01.40.00cpp Joe Richards (joe@joeware.net) February 2009

Using server: someadamserver.NorthAmerica.somecompany.net:389
Directory: Active Directory Application Mode

dn:CN=S-1-5-21-1511590266-3576895337-3233274463-6632,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: ROOT\AdamAdmins

dn:CN=S-1-5-21-1511590266-3576895337-3233274463-519,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: ROOT\Enterprise Admins

dn:CN=S-1-5-21-1757981266-299502267-1801674531-239491,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\so_jar

dn:CN=S-1-5-21-1757981266-299502267-1801674531-512,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\Domain Admins

dn:CN=S-1-5-21-1757981266-299502267-1801674531-76732,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\MMS_Search

dn:CN=S-1-5-21-507921405-813497703-1202660629-512,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: EUROPE\Domain Admins

dn:CN=S-1-5-21-1757981266-299502267-1801674531-96228,CN=ForeignSecurityPrincipals,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C}
>objectSid: NORTHAMERICA\sitescope

7 Objects returned

 

You can clean it up even more with either the above commands by simple adding –list like so

E:\>adfind -h . -b CN=Administrators,CN=Roles,CN=Configuration,CN={061AA795-CE70-4B2F-AEE3-9E0BAAF2532C} -asq member objectsid -resolvesids -list
NORTHAMERICA\sitescope
EUROPE\Domain Admins
NORTHAMERICA\MMS_Search
NORTHAMERICA\Domain Admins
NORTHAMERICA\so_jar
ROOT\Enterprise Admins
ROOT\AdamAdmins

 

   joe

Rating 4.33 out of 5

Comments are closed.

[joeware – never stop exploring… :) is proudly powered by WordPress.]