Get-OrphanForeignSecurityPrincipalGet-OrphanForeignSecurityPrincipal -TabDelimitedFile C:\temp\OFSP.txtGet-OrphanForeignSecurityPrincipal | Remove-OrphanForeignSecurityPrincipalFor the pipeline method, please see the Warning section below!
Remove-OrphanForeignSecurityPrincipal -TabDelimitedFile C:\temp\OFSP.txtRemove-OrphanForeignSecurityPrincipal -DistinguishedName 'CN=S-1-5-21-1234567890-1234567890-1234567890-12345,CN=ForeignSecurityPrincipals,DC=contoso,DC=com'This module uses cmdlets from the Microsoft ActiveDirectory module.
Copy this module to a computer which has the ActiveDirectory module (usually to C:\Program Files\Windows Powershell\Modules)
Because the export contains both Foreign Security Principal's Distinguished Names (with coma inside) and group membership (with semi-colon inside), the choice has been made to export the list in a tab delimited format.
Therefore, if you edit the export in Excel, you must save modifications as a <.txt> file.
Another way to edit the export is with any "neutral" text editor like Notepad.
Common parameters like -WhatIf, -Verbose and -Confirm are fully supported.
To determine if a Foreign Security Principal is orphan or not, this module tries to resolve the SID to a name.
If you encounter connectivity issues, the name resolution will fail, and Foreign Security Principals will be incorrectly interpreted as an orphan..
Thus, the preferred method to remove orphan Foreign Security Principals is via a file, because you can have look at the list before the removal.
You can also simulate a deletion whit the -WhatIf parameter.
- Restore via Powershell from the Recycle Bin (must be activated before any deletion occurred). More about activating the Recycle Bin can be found here
- First, find your object(s) with a query like this one:
Get-ADObject -Filter 'IsDeleted -eq $TRUE' -IncludeDeletedObjects | Where-Object {$_.DistinguishedName -like "CN=S-*"}- Then pipe it to the
Restore-ADObjectcmdlet.
- Add the foreign account or group into all groups where it has formerly been. This will create the same ForeignSecurityPrincipal again. Hint: If you have still the export file which you used to remove the ForeignSecurityPincipals, there is a column inside with the group membership.
There are several ways to keep your Active Directory clean from orphan Foreign Security Principals. Here are some suggestions:
- Schedule a script to export the list to a file and send a mail.
- Review the file and update if necessary.
- Use the
Remove-OrphanForeignSecurityPrincipalcmdlet associated with the file.
- Schedule a script to export and count the number of entries.
- Depending on X which is the average number of accounts you deleted in your environment since your last cleanup:
- If the script finds less than X orphan Foreign Security Principals, the script removes them directly.
- If the script finds more then X orphan Foreign Security Principals, the script sends a mail with the export as an attachment for further verification.
- If the script has sent a mail, review the file and update if necessary.
- If you reviewed the file, use the
Remove-OrphanForeignSecurityPrincipalcmdlet associated with this file.