访问外部安全主体 [英] Accessing Foreign Security Principals

问题描述

在搜索用户 michael@mycontoso.com 用的objectSID S-1-5-21-1234567890-123465789-123456789-123456 ，我只找到一个外部安全主体<$c$c>CN=S-1-5-21-1234567890-123465789-123456789-123456,CN=ForeignSecurityPrincipals,DC=contoso,DC=com. 外国安全主体不包含我要读的属性，所以我想我一定要访问FSP的主页广告。

Searching for the user michael@mycontoso.com with the objectSid S-1-5-21-1234567890-123465789-123456789-123456, I only find a Foreign Security Principal CN=S-1-5-21-1234567890-123465789-123456789-123456,CN=ForeignSecurityPrincipals,DC=contoso,DC=com. That foreign security principal does not contain the properties I have to read, so I guess I have to access the "Home AD" of that FSP.

做了FSP有始终包含用户对象的LDAP路径的属性？ 是否有一个标准的/推荐的方式如何访问首页的广告？

Does a FSP have a property that always contains the LDAP path of the user object? Is there a standardized/recommended way how to access the Home AD?

推荐答案

可悲的是FSP不包含引用对象的LDAP路径。 （如果它含有一个，那么它需要复制对象后重命名/移动）

Sadly FSP don't contain the LDAP path of the referenced object. (if it contain one, then it needs to be replicated once the object is rename/moved)

似乎没有简单的方法来找回含公元利用外资森林的SID。 如果当地的森林，你可以做到这一点通过结合 LDAP：//＆LT; SID = S-1-XXXXX＆GT;

There seems no easy way to get back the containing AD using the SID from foreign forest. If in local forest you may do it by binding to LDAP://<SID=S-1-xxxxx>.

一个不那么容易的方法是建立一个域SID到域图。
通过各个领域走在受信任的森林和使用脚本这里（以下简称脚本解决方案一节）建立映射。

A not-so-easy way is to build a domain SID to domain map.
Walk through each domain in trusted forests and build the map using the script here (the "The Script Solution" section).

<一个href="http://blogs.technet.com/b/ashleymcglone/archive/2011/10/12/powershell-sid-walker-texas-ranger-part-3-getting-domain-sids-and-trusts.aspx" rel="nofollow">http://blogs.technet.com/b/ashleymcglone/archive/2011/10/12/powershell-sid-walker-texas-ranger-part-3-getting-domain-sids-and-trusts.aspx

SID是形式＆LT;域SID＆GT; - ＆LT; RID＆GT;
例如的域SID S-1-5-21-1234567890-123465789-123456789-123456 是 S-1-5-21-1234567890-123465789- 123456789 。

SID of security principals are in the form of <domain SID>-<RID>.
e.g. domain SID of S-1-5-21-1234567890-123465789-123456789-123456 is S-1-5-21-1234567890-123465789-123456789.

通过提取域SID（如果在.NET中可以使用的SecurityIdentifier 类和 AccountDomainSid 做物业），并在地图上，你可以找到的结构域。

By extracting the domain SID (if in .NET you can do it by using SecurityIdentifier class and the AccountDomainSid property) and the map then you can find out the containing domain.

这篇关于访问外部安全主体的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！