Removing Foreign Security Principals from Groups

Today I had a requirement to migrate users and groups from a legacy domain to a new domain using ADMT. All legacy groups were domain local with members from other groups on other domains via existing trusts. Performing a migration of a Domain local groups using ADMT also migrates across members who have no user accounts in the new domain. These are called Foreign Security Principals.

I needed to convert these groups into Global groups in the new domain, but before I could do this I needed to remove these foreign security principals as members. I looked at Powershell and the Get-ADGroupMember Commandlet and this does not work with FSP’s as members producing an “Unspecified Error”. I looked at the old dsmod command and this could achieve what I was looking for. However DSMOD required the full LDAP canonical name of the group and member to remove. This is a real pain when you have to modify over 2000 values!

I looked at piping a dsquery command into a dsget and then into a dsmod command which would have worked, but there is no filter or where clause in these commands where I could remove the FSPs but leave migrated user accounts.

The solution I came up with took 5 minutes to build and 1 minute to execute. I realised I could use a mixture of powershell and DS commands to achieve what I wanted. The Powershell I would use for looping and writing out content and DS commands to do the work.

The PS script I came up with basically queries AD using DSQUERY collecting the results into a array variable. I then loop through the array and peform a DSGET command to grab the members of that group. Then there is an IF command that says if the member of the group is an FSP issue a DSMOD command to remove it. It also converts the group to Domain Global from Local. The other script is based on the same principal but produces a batch file to run separately. I chose this because I can double check the commands built.

Anyway here are both scripts, you will see the differences (albeit slight)

Script to Output to Batch File

$bat = New-Item -Path c:\groupmod.bat -ItemType File -Force
$group = cmd.exe /c dsquery group "ou=groups,ou=rs,dc=ad,dc=domain,dc=com"
foreach ($g in $group){ 
 $members = cmd.exe /c dsget group $g -members 
 Foreach ($m in $members){ 
 if ($m -like "*CN=ForeignSecurityPrincipals*"){ 
 $write = "dsmod group $($g) -rmmbr $($m)"
 Add-Content -Path $bat -Value $write
 }
 } 
 Add-Content -Path $bat -Value "dsmod group $($g) -scope u"
 Add-Content -Path $bat -Value "dsmod group $($g) -scope g"
}

Script to execute on the fly

$group = cmd.exe /c dsquery group "ou=groups,ou=rs,dc=ad,dc=domain,dc=com"
foreach ($g in $group){ 
 $members = cmd.exe /c dsget group $g -members 
 Foreach ($m in $members){ 
 if ($m -like "*CN=ForeignSecurityPrincipals*"){ 
 cmd.exe /c dsmod group $($g) -rmmbr $($m)
  }
 } 
cmd.exe /c dsmod group $($g) -scope u 
cmd.exe /c dsmod group $($g) -scope g
}

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s