Master in progress IT blog

Forever learning, turning real-world problems into real IT solutions.

Exorcising Ghost Accounts: Step 1 to Eliminate Unwanted Foreign Security Principals from Active Directory

Alexander Mora

Recently, I worked with a client who wanted to tidy up their Active Directory (AD) environment by removing unused Foreign Security Principals (FSPs). They were diligent in following best practices, such as assigning permissions exclusively through security groups rather than individual accounts. Our goal was to identify and remove FSPs that were no longer in use while ensuring that no essential permissions were disrupted.

Understanding the Challenge

The client’s AD had accumulated numerous FSPs over time due to domain trusts and collaborations with external partners. Although they consistently used security groups for permission assignments, they wanted to be certain that removing unused FSPs wouldn’t inadvertently affect any access controls.

What Are Foreign Security Principals?

Foreign Security Principals are placeholder objects in AD that represent security principals (users or groups) from external or trusted domains. When you add an external user or group to a local security group, AD creates an FSP to represent that external entity. These FSPs enable cross-domain authentication and authorization without storing full details of the external accounts.

A screenshot of active directory users and computer snap-in showing the Foreign Security principals container and the objects inside

The Objective

Our primary objectives were:

  • Identify FSPs that are no longer members of any security groups in the local domain.
  • Ensure that removing these FSPs won’t affect any permissions, given that the client uses security groups exclusively for access control.
  • Create a backup before making any changes, as a precaution in case an FSP was inadvertently assigned permissions directly.

Crafting the Solution

To achieve these goals, I provided a PowerShell script that:

  1. Retrieves all FSPs in the client’s AD.
  2. Checks each FSP’s group memberships by directly querying the member attribute of groups.
  3. Extracts the account name and domain from the msDS-PrincipalName attribute for better identification.
  4. Generates a clear output showing which FSPs are still in use.

The PowerShell Script

Here’s the script I provided to the client:

PowerShell
# Get all Foreign Security Principals (FSPs)
$FSPs = Get-ADObject -Filter { ObjectClass -eq 'foreignSecurityPrincipal' } -Properties msDS-PrincipalName | Select-Object Name, ObjectSID, DistinguishedName, msDS-PrincipalName

# Loop through each FSP
foreach ($FSP in $FSPs) {
    $isMember = $false

    # Extract account name and domain information from msDS-PrincipalName
    $accountInfo = $FSP."msDS-PrincipalName"
    $domain = ($accountInfo -split '@')[1]
    $accountName = ($accountInfo -split '@')[0]

    # Retrieve all groups in the domain
    $groups = Get-ADGroup -Filter * | ForEach-Object {
        # Retrieve the group members using an LDAP query to directly check the "member" attribute
        $groupDN = $_.DistinguishedName
        $groupMembers = (Get-ADGroup -Identity $groupDN -Properties member).member

        # Check if the FSP's DistinguishedName is in the member list
        if ($groupMembers -contains $FSP.DistinguishedName) {
            Write-Host "FSP: $($FSP.Name) (Account: $accountName, Domain: $domain) is a member of group: $($_.Name)" -ForegroundColor Green
            $isMember = $true
        }
    }

    # If no groups found for this FSP
    if (-not $isMember) {
        Write-Host "FSP: $($FSP.Name) (Account: $accountName, Domain: $domain) is not a member of any group." -ForegroundColor Yellow
    }
}

How the Script Works

  • Retrieve FSPs: It starts by fetching all FSPs and their msDS-PrincipalName, which often contains the external account’s name and domain.
  • Extract Account Details: The script parses msDS-PrincipalName to get the account name and domain for easier identification.
  • Check Group Memberships: It iterates over all groups and checks if the FSP’s distinguished name is listed in the group’s member attribute.
  • Output Results: The script outputs whether each FSP is a member of any groups, including the group names if applicable.

Implementation and Precautions

Before running the script, we took the following precautions:

  • Created a Backup: Although the client followed best practices by using security groups for permissions, we created a backup of the AD environment. This was a safeguard in case any FSP had been assigned permissions directly to an Access Control List (ACL), contrary to policy.
  • Reviewed Policies: Confirmed that all administrators were aware of and adhered to the policy of assigning permissions via security groups.
  • Communicated Changes: Notified relevant team members about the cleanup operation to ensure transparency.

Running the Script and Interpreting Results

When we ran the script, it produced clear output:

PowerShell
FSP: CN=S-1-5-21-... (Account: EXTERNAL\user123, Domain: ) is not a member of any group.
FSP: CN=S-1-5-21-... (Account: PARTNER\Alex, Domain: ) is a member of group: Collaborators
  • FSPs Not in Any Group: These are candidates for removal since they’re not providing access via any security groups.
  • FSPs Still in Groups: These should be retained or evaluated as they are still facilitating access as intended.

Proceeding with Cleanup

For the FSPs identified as not being members of any groups:

  1. Double-Checked Permissions: Despite following best practices, we performed spot checks to ensure these FSPs were not directly assigned permissions on any resources.
  2. Documented Findings: Recorded which FSPs were being removed, including their account names and domains.
  3. Removed Unused FSPs: Used the following command to delete the unused FSPs:
PowerShell
Remove-ADObject -Identity "CN=S-1-5-21-..." -Confirm:$false
  1. Monitored the Environment: After deletion, we monitored logs and user reports to confirm that no access issues arose.

Conclusion

By assuming adherence to best practices and taking precautionary backups, we efficiently assisted the client in cleaning up unused Foreign Security Principals from their Active Directory environment. This process helped improve security and reduce clutter without risking unintended permission changes.

Key Takeaways

  • Adherence to Best Practices Simplifies Maintenance: Using security groups for all permissions made it straightforward to identify unused FSPs.
  • Precautionary Backups Are Essential: Even when policies are followed, backups provide a safety net against unexpected issues.
  • Clear Communication Prevents Missteps: Informing team members about the cleanup ensured no critical FSPs were removed unknowingly.

References

Alexander Mora Avatar
Alexander Mora

Leave a Reply

Your email address will not be published. Required fields are marked *