How to resolve Foreign security principals with Quest cmdlets for AD?

Get-QADObject -ResolveForeignSecurityPrincipals -Type foreignSecurityPrincipal | select Samaccoutname,Type,DN


How to remove the Foreign security principals from groups:

$log = New-Item -Path c:\output;txt -ItemType File -Force
$group = cmd.exe /c dsquery group “ou=groups,dc=mydomain,dc=com”
Foreach ($g in $group){
 $members = cmd.exe /c dsget group $g -members
 Foreach ($m in $members){
 if ($m -like “*CN=ForeignSecurityPrincipals*”){

write-host “Group $g that contain FSP $m”

# to remove the FSP
# $result = “dsmod group $($g) -rmmbr $($m)”
 Add-Content -Path $log -Value $result  }
 } # end foreach groups
 } # end foreach members



Here is a script to list the Foreign Security Principals and the groups they belong too:

Find all foreign security principals and the groups they are used in.

Find all the foreign security principals in the provided local domain that belong to the provided foreign domain and return their full name and group memberships.

.PARAMETER LocalDomain
Local domain name in which to find foreign security principals.

.PARAMETER ForeignDomain
Foreign domain for which foreign security principals should be returned.

PS D:\> Get-ForeignSecurityPrincipals.ps1 -LocalDomain -ForeignDomain


[CmdletBinding(SupportsShouldProcess = $True)]
param (
[Parameter(Mandatory = $true)]
[Parameter(Mandatory = $true)]

if (!(Get-Module ActiveDirectory))
Import-Module ActiveDirectory

$startscript = Get-Date
Write-Host “”
Write-Host “List foreign security principals on domain $LocalDomain, please wait it can takes time” -BackgroundColor Green -ForegroundColor Black
Write-Host “”
$domainSid = Get-ADDomain $ForeignDomain -ErrorAction SilentlyContinue | select -ExpandProperty DomainSID | select -ExpandProperty Value
if ($domainSid -notmatch ‘^S-\d-\d-\d\d-\d{9,10}-\d{9,10}-\d{9,10}$’)
Write-Error “Unable to determine domain SID for $ForeignDomain”
foreach ($g in (Get-ADObject -Filter “objectClass -eq ‘group'” -Server $LocalDomain -Properties member | ? { $_.member -like “CN=$domainSid*” }))
foreach ($m in $g.member)
if ($m -match “^CN=$domainSid”)
$fspSamAccountName = Get-ADObject -Identity $m -Server $LocalDomain -Properties ‘msDS-PrincipalName’ | select -ExpandProperty ‘msDS-PrincipalName’
$final += @(New-Object –TypeName PSObject -Property @{
GroupName = $
ForeignSecurityPrincipal = $fspSamAccountName

Write-Host “”
Write-Host “–STATISTICS–” -BackgroundColor Blue -ForegroundColor White
$final | select GroupName, ForeignSecurityPrincipal | sort GroupName
Write-Host “”
Write-Host “——————-“
Write-Host “– End of Script –“
Write-Host “——————-“
$stopscript = Get-Date
Write-Host “Has started at” $startscript -BackgroundColor Gray -ForegroundColor Black
Write-Host “Had finished at” $stopscript -BackgroundColor Gray -ForegroundColor Black
Write-Host “TIME SPENT:” (New-TimeSpan -Start $startscript -End $stopscript).hours “Hours” (New-TimeSpan -Start $startscript -End $stopscript).minutes “Minutes” (New-TimeSpan -Start $startscript -End $stopscript).seconds “Seconds” -BackgroundColor Green -ForegroundColor Black
Write-Host “”
Write-Host “”