.NET Programming
--
Questions
--
Followers
Top Experts
Foreign Security Principals that have been deleted in trusted domain
Further to a previous question regarding finding the members of an AD group with Foreign Secirty Principals, I came up with the following:
unfortunately, when the FSP has been deleted from the trusted domain, it leaves behind an orphaned record in the original group. Using the above code then errors during the foreach when it comes across a deleted FSP, and produces an error:
While trying to resolve a cross-store reference, the SID of the target principal could not be resolved. The error code is 1332.
to attempt to get around this, I altered the code to:
this now at least allows me to get back all the members that don't fail, but doesn't allow me to build up a list of failed SIDs that did fail.
Does anyone have an idea of how I might be able to get the SID of the account(s) that fail?
Many thanks
Ian
PrincipalContext adPrincipalContext = new PrincipalContext(ContextType.Domain, "DOMAIN");
//adPrincipalContext
GroupPrincipal group = GroupPrincipal.FindByIdentity(adPrincipalContext, "DOMAIN Server Admins");
PrincipalSearchResult<Principal> members = group.GetMembers();
Console.WriteLine("No of members {0}", group.Members.Count);
foreach (Principal member in members)
{
Console.WriteLine("{0}\r\n\t{1}\r\n\t{2}",member.ToString(),member.Guid,member.DistinguishedName);
}unfortunately, when the FSP has been deleted from the trusted domain, it leaves behind an orphaned record in the original group. Using the above code then errors during the foreach when it comes across a deleted FSP, and produces an error:
While trying to resolve a cross-store reference, the SID of the target principal could not be resolved. The error code is 1332.
to attempt to get around this, I altered the code to:
IEnumerator<Principal> enumerator = members.GetEnumerator();
while (enumerator.MoveNext())
{
try
{
Principal member = enumerator.Current;
Console.WriteLine("{0}\r\n\t{1}\r\n\t{2}",member.ToString(),member.Guid,member.DistinguishedName);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}this now at least allows me to get back all the members that don't fail, but doesn't allow me to build up a list of failed SIDs that did fail.
Does anyone have an idea of how I might be able to get the SID of the account(s) that fail?
Many thanks
Ian
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Thanks TheLearnedOne, that put me on the right track - I'd still like to find out how to get the SID from the PrincipalSearchResult, but this solved the issue.
I've modified the code slightly just to handle when gpMemberEntry doesn't bring back a property sAMAccountName in the case of a Foreign Security Principal as follows:
I've modified the code slightly just to handle when gpMemberEntry doesn't bring back a property sAMAccountName in the case of a Foreign Security Principal as follows:
string userAlias = null;
if (gpMemberEntry.Properties.Contains("sAMAccountName"))
{
userAlias = gpMemberEntry.Properties["sAMAccountName"].Value.ToString();
}
else
{
string sid = gpMemberEntry.Properties["cn"].Value.ToString();
IdentityReference id = new SecurityIdentifier(sid);
try
{
string[] account = id.Translate(typeof(NTAccount)).ToString().Split('\\');
userAlias = account[1];
}
catch
{
// returns just the SID reference if the FSP has been deleted in the Foreign Domain
userAlias = id.ToString();
}
}
Are you saying that when there is a problem, that you can't access the Principal.Sid property?
foreach (Principal member in members)
{
Console.WriteLine(member.Sid);
}
Thanks....very helpful
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
.NET Programming
--
Questions
--
Followers
Top Experts
The .NET Framework is not specific to any one programming language; rather, it includes a library of functions that allows developers to rapidly build applications. Several supported languages include C#, VB.NET, C++ or ASP.NET.