How to detect and remove foreign security principals?

How to resolve Foreign security principals with Quest cmdlets for AD?

Get-QADObject -ResolveForeignSecurityPrincipals -Type foreignSecurityPrincipal | select Samaccoutname,Type,DN

===================================================================================

How to remove the Foreign security principals from groups:

$log = New-Item -Path c:\output;txt -ItemType File -Force
$group = cmd.exe /c dsquery group “ou=groups,dc=mydomain,dc=com”
Foreach ($g in $group){
 $members = cmd.exe /c dsget group $g -members
 Foreach ($m in $members){
 if ($m -like “*CN=ForeignSecurityPrincipals*”){

write-host “Group $g that contain FSP $m”

# to remove the FSP
# $result = “dsmod group $($g) -rmmbr $($m)”
 Add-Content -Path $log -Value $result  }
 } # end foreach groups
 } # end foreach members

========================================================================

Here is a script to list the Foreign Security Principals and the groups they belong too:

# Get a list of FSPs
Get-ADObject -Filter { objectClass -eq “foreignSecurityPrincipal” }

# The .NET Framework should be able to translate any that aren’t orphaned:
Get-ADObject -Filter { objectClass -eq “foreignSecurityPrincipal” } | ForEach-Object {
([System.Security.Principal.SecurityIdentifier] $_.Name).Translate([System.Security.Principal.NTAccount])
}

# You can also get the groups and whether or not the FSP is orphaned (this
# assumes that a translation error means that the object is orphaned; that
# might not always be the case):
Get-ADObject -Filter { objectClass -eq “foreignSecurityPrincipal” } -Properties memberof | ForEach-Object {

$Orphaned = $false
$TranslatedName = $null
try {
$TranslatedName = ([System.Security.Principal.SecurityIdentifier] $_.Name).Translate([System.Security.Principal.NTAccount])
}
catch {
$Orphaned = $true
}

New-Object PSObject -Property @{
Name = $_.Name
TranslatedName = $TranslatedName
Orphaned = $Orphaned
Groups = $_.MemberOf | Get-ADGroup | select -ExpandProperty Name
}
}

=========================================================================

Here is a function to list group members and it works with foreign security principals too:

function getGroupMembers($gname) {
$thisgroup = “” | Select-Object Groupname,UMembers,GMembers
$thisgroup.Groupname = $gname
$thisgroup.UMembers=@()
$thisgroup.GMembers=@()
$thisgroup.UMembers = get-adgroupmember -server dc01 -identity $gname | ?{$_.objectClass -eq ‘user’}
$groups=get-adgroupmember -server dc01 -identity $gname | ?{$_.objectClass -eq ‘group’}
foreach($gmember in $groups) {
write-host $gmember.name
if ($gmember.name) {
$childgroup=getGroupMembers $gmember.name
$thisgroup.gMembers += $childgroup
}
}
return $thisgroup
}
$mygroup=getGroupMembers ‘mydomaingroup’