5 Replies Latest reply on May 28, 2019 5:32 PM by 8paul

    Possible to Resolve Foreign Security Principal Names?

    ericrgarner

      I'm trying to use ARM to create OU reports that show group memberships for remote domains that are connected via an AD Trust.  I created a new connector on the the remote domain controller and am using domain administrator credentials to perform the scan in that domain.  However when I generate the report showing the group membership in the remote OU I'm only able to see the raw SID values for the AD Trusted group objects and not the translated 'Readable Names'.   I can log on manually to the remote domain and this value is easily visible in the ForeignSecurityPrincipals OU in the Active Directory Users and Computers MMC. Is there some way to pull the Readable Name into the reports so I'm not stuck with a raw SID?

       

        • Re: Possible to Resolve Foreign Security Principal Names?
          8paul

          Hi Eric,

           

          just to confirm, you have scanned the domain from which the accounts originate, correct?

          If that is the case ARM should translate SIDs in the reports. The only exception that i am aware of are managed service accounts. Are these accounts by chance managed service accounts?

           

          Regards

          Paul

            • Re: Possible to Resolve Foreign Security Principal Names?
              ericrgarner

              Hi 8paul,

               

              Thanks for your response.  In this case the accounts im trying to resolve do not originate in my domain.  These groups are originating from a client's domain and are mapped via a one-way trust.  I can see the names of the groups resolve when i manually log in to my remote domain but the reports are not able to to do the same resolution.  Is this something I should open a ticket with support to take a look at?

                • Re: Possible to Resolve Foreign Security Principal Names?
                  8paul

                  Hi Eric,

                   

                  ARM will only resolve accounts from domains you have actually scanned. So in this case you would need to scan your clients domain.

                  Assuming the ARM server can resolve the FQDN of the domain follow these steps:

                  1. Open ARM Config

                  2. Click Scans

                  3. Click Domain

                  4. Enter the FQDN of the target domain into the filter and press Enter, it should create a list entry with that Name

                  5. Select list entry and click apply

                  6. configure the rest of the settings like you did for your own domain

                   

                  After the domain has been scanned the accounts will be resolved.

                   

                  Regards

                  Paul

                    • Re: Possible to Resolve Foreign Security Principal Names?
                      ericrgarner

                      Hi Paul,

                       

                      Scanning a clients's production domain is not an option in this case. We have a  powershell script that we can manually run on the domain on our side which iterates through the Foreign Security Principals and converts them to a friendly name.  It is possible to do this without scanning the domain on the other side of the trust as this information is already available.   If this functionality could be incorporated into the existing reporting toolset for ARM that would be a huge win for our organization.

                       

                       

                       

                       

                      Function Convert-FspToUsername {

                          [CmdletBinding()]

                          Param

                          (

                              [Parameter(Position = 0, Mandatory = $true, ValueFromPipeline = $true)]

                              $UserSID

                          )

                          Begin {

                          }

                          Process {

                              foreach ($Sid in $UserSID) {

                                  try {

                                      $SAM = (New-Object System.Security.Principal.SecurityIdentifier($Sid)).Translate([System.Security.Principal.NTAccount])

                                      $Result = New-Object -TypeName PSObject -Property @{

                                          Sid            = $Sid

                                          sAMAccountName = $SAM.Value

                                      }

                                      Return $Result

                                  }

                                  catch {

                                      $Result = New-Object -TypeName PSObject -Property @{

                                          Sid            = $Sid

                                          sAMAccountName = $Error[0].Exception.InnerException.Message.ToString().Trim()

                                      }

                                      Return $Result

                                  }

                              }

                          }

                          End {

                          }

                      }

                       

                       

                       

                       

                      $adOU = Get-ADOrganizationalUnit -Filter * | Where-Object { $_.name -eq "Hosting" }

                      $adGroups = Get-ADGroup -Filter {Name -notlike "Catalyst*"} -Properties members -SearchBase $adOU.DistinguishedName

                       

                       

                      $body = "`"MemberOf`",`"Member`"`n"

                       

                       

                      foreach ($g in $adGroups) {

                          #$g.Name

                          foreach ($member in $g.Members) {

                              $ado = Get-ADObject -Identity $member

                              $uname = Convert-FspToUsername -UserSID $ado.Name

                              $body += "`"" + $g.Name + "`",`"" + $uname.sAMAccountName + "`"`n"

                          }

                      }

                       

                       

                      $body | ConvertFrom-Csv | Export-Csv -Path "adgroups.csv"