If FSP is member of any group we can find them using memberof attribure of FSP.
But, If that is not populated, it might be the case that, someone directly and stupidly gave that FSP some right somewhere.
How do we find that?
Go into the ForeignSecurityPrincipals container and delete all of the FSPs that exist from the old NT4 domain.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ahmed Al-Awah
Sent: Tuesday, November 22, 2005 5:30 PM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Removing foreign accountsHello all,
Until recently we had two domains, a W2K domain and a WinNT4 domain. I've managed to finally shut down the Windows NT4 domain. However, given our previous setup and the trust relationships that existed between both domains I'm left with several users from the old domain in AD groups on our primary Windows 2K Domain.
I was wondering if anyone had a script that would remove users from a particular domain from another domain's groups (removing all NT4 accounts from the W2K domain groups)? The reason I'd like to do this is because everytime we attempt to access a group in AD with members from the previous domain we recieve an error stating that some of the names cannot be shown in user-friendly form which is primarily due to the fact that the previous domain has been shutdown. I've searched the MS Script Repository to no avail.
Any help is appreciated.
Cheers,
Ahmed
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Fortune and Love befriend the bold"
~~~~~~~~~~~~~~~~~~~~~~~~~~~
