Cross Forest Management – (Create groups with FSP’s as Members) Part 2

This post has been republished via RSS; it originally appeared at: Core Infrastructure and Security Blog articles.

First published on MSDN on Feb 06, 2016

In continuation of Cross Forest Management - (Create groups with FSP's as Members) Part 1


At this point you should have Groups from the Source Forest being created in the Destination Forest with the "FSP" of the user instead of the member of the group in the Source Forest.


If for some reason the FSP's were not being created as members of the groups in the destination forest than i would verify that you are flowing objectSid from the Source forest into the metaverse for Users and Groups. Now in a previous step You were ask to create an attribute "objectSidString" in the metaverse and Bind it to the Person and the Group Resource in the metaverse


Now lets take a look at a Group that was created in the Destination Forest and its members and what it looked like in the source forest.



  • Source Forest









  • Destination Forest







They may look the same but take a closer look, the source contains the actual user object and the destination contains the FSP and you can tell this by the format of the name in the members list.


FSP are displayed with an upward red arrow and the name is First Name.Last Name


if you click on one of the members of a the group in the destination forest you will see something like this.




Now lets navigate to the ForeignSecurityPrincipals container in the destination forest.




Notice there are not many objects in this container but that's because we have only synced in 1 group with 3 members from the source forest the other 4 are default to the destination forest. As you sync more groups into the Destination forest this container will grow in the number of objects.


NOTE: only Users from the Source Forest will have a FSP created in this Container that are also members of a group that has been created in the destination forest.


Previously we created a the Sync rule "Outbound Users to Fabrikam (FSP)" this Sync Rule creates an FSP Object in the Fabrikam MA Connector Space and we can see the object in the connector space once it has been created, but if you run an export on the Fabrikam MA and you have not created groups that contain these members than the MA will delete them from the connector space. More interesting is even if the Group did exist its not the MA that creates Exports the FSP into the Destination Forest. The ADDS MA know that the object is a FSP and that AD will create the object, but it uses the connector space a reference pointer.


Lets take another look at the FSP's in the ForeignSecurityPrincipals container. By default there is nothing for description or display name and as you the container grows in object size you may need to easily locate a specific object.


On the Fabrikam MA click on Properties than click on Configure Join and Projection Rules


Click on foreignSecurityPrincipal and add the following Join Rule


For Data source attribute: select       cn


For Mapping type select                     Direct


For Metaverse object type: select     objectSidString




now click on group


Because in this example I changed the samAccountName and the displayName i cant use either of those although displayName would not be the best choice anyways.


in an example where you need to change the samAccountName you would want to add an additional attribute flow on the Group Sync Rule that adds the value of the objectSid String to an group object in the destination forest and use that to join, otherwise if possible use the samAccountName


For assistance with advanced join logic see the following post - Rules Extensions - MapAttributesForJoin

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.