Trust and Foreign Security Principals in WS 2012r2

Question

Hi.

I was wondering about the connection of AD Trust and Foreign Security Principals. What is the reason such option exist. Can this be changed/manipulated or another words can this FSP be operated on somehow (via like adsiedit)?

Thank you for your insight into the matter,

Answer 1

Hi,
A Foreign Security Principal (FSP) is an object created by the system to represent a security principal in a trusted external forest. These objects are created in the Foreign Security Principals container of the domain. They can be added to domain local security groups and granted permissions.
For example: When adding a user from domain A for the first time to a group from domain B from another forest, this creates an FSP in domain B and adds this FSP to the group from domain B.
For your reference:
https://social.technet.microsoft.com/wiki/contents/articles/51367.active-directory-foreign-security-principals-and-special-identities.aspx

If there orphaned Foreign Security Principals in the container, you can clean up them through ADUC,ADSI or PowerShell command.
For your reference:
https://4sysops.com/archives/clean-up-orphaned-foreign-security-principals/(Third-party link)
This response contains a third-party link. We provide this link for easy reference. Microsoft cannot guarantee the validity of any information and content in this link.

Best Regards,

Answer 2

thank you for the above answer.

why do we have to remove stale foreign security principles

does it give any benefits for an active directory forest? else just a clean-up process