How to add ForeignSecurityPrincipals to AD LDS? Bringing 'AD users and computer accounts' to AD LDS as FSP?

StackOverflow https://stackoverflow.com/questions/23154393

Question

How to add ForeignSecurityPrincipals to 'Active Directory Lightweight Directory Services' (AD LDS)? i.e. bringing 'AD security principals (users as well as computer accounts)' to AD LDS? Any script/ps cmdlet/tool?

Adding 'AD' security princials as "ForeingSecurtyPrincipals" to AD LDS using 'ADSI edit'

I know I can bring them by making them members of administrators/readers/users (i.e. in order to define roles for the 'AD users' as readers/users/administrators the foreign security principals need to be added - which makes sense - so ADSI edit is automatically adding the SIDs to foregin security principals container) (please see the attached image adding

Question (what are different ways of doing it other than assigning roles using adsi edit):

But, I am wondering is there a way without making the security principal as member of one of the roles? especially I don't want to do this way for 'computer accounts' - as they are not categorized as 'administrators' or 'users' or 'roles' - default in AD LDS schema. I think I can extend the schema so that my AD LDS instance understands computer accounts and then add the computers there.

Just curious if there is another way to do it? any other tool or PS script will also do as well as I am pretty sure there are number of 'directory services admin tools'

Regards.

Was it helpful?

Solution 3

Actually it simply turned out to be that I can set 'permissions' on ad lds directory objects without adding to the 'ForeignSecuritypPrincipals' container...

So, I just set 'perms' based on sid (few examples are below, http://greatit.wordpress.com/2012/08/13/dsacls-and-built-in-groups/ )

Examples which grant 'generic all/full control' on AD LDS obect:

dscals "\\{myadldsserver}:{port}\cn=testadldsobect,cn=test,cn=com' /g {sid}:GA

dsacls {DN} /g {domain}/{username}:GA

dsacls {DN} /g {domain}/{machinename}$:GA

Regards.

OTHER TIPS

You seem to be asking about two different things, here. The image is showing you grant access to Active Directory security principals to ADLDS. But then you start talking about extending the schema, suggesting you're looking to import objects from AD.

If it's the latter, you could use FIM, ADAMSync or roll your own using e.g. PowerShell.

More help on ADAMSync here

* UPDATE *

According to Dmitri Gavrilov in this post, manually adding FSPs is not possible.

Alternatively, you can use powershell to add the user/computer to one of the built-in groups (my example will use Readers), then immediately remove them. The foreignSecurityPrincipal will remain in the directory. It seems that ADAM/ADLDS is the one actually creating the foreignSecurityPrincipal object on your behalf when you request adding a member by SID.

Get the Readers group in the Configuration partition...

$servername = "myserver:389"

$configPartition = (Get-ADRootDSE -Server $servername).namingContexts | ? { $_ -match "^CN=Configuration" }

$readersGroup = ("CN=Readers,CN=Roles," + $configPartition)

Add the SID (Wrap in <SID=...>) to the Readers group

Set-ADObject -Identity $readersGroup-Add @{member = "<SID=S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX-XXXXX>"} -Server $servername

Remove the SID from the Readers group

Set-ADObject -Identity $readersGroup-Remove @{member = "<SID=S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXX-XXXXX>"} -Server $servername

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top