Removing foreign security principals for AD once all trusts have been removed

Ben Wosjke 136 Reputation points
2023-11-07T03:52:20.4133333+00:00

Hi - i have recently started at an org that has gone through a number of mergers.

All trusts to their current AD forest/Domain are now gone.

There are a few thousand FSP's.

Im comfortable deleting the orphaned ones... but there are some that still have a readable name and some that are members of groups.

Given that the trusts are gone - my understanding is that its safe to delete these objects - but i am looking for confirmation.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,738 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Ben Wosjke 136 Reputation points
    2024-02-08T23:40:41+00:00

    Hi Dan - never got a response to this one.... however, i deleted the FSP objects (approx 100 a day) with the safety net of AD recycle bin.... and there were not any issues.

    Given we no longer had any trusts etc - this was expected... however, some sort of MS doco or confirmation to my post would have been nice.

    Anyhoo - my suggestion is:

    • ensure AD recycle bin is enabled
    • Delete the FSP's slowly - so if there is an issue, you are recovering a smaller number out of AD recycle bin
    • Accept that none one else in your org will understand or care about keeping AD clean
    0 comments No comments

  2. Thameur-BOURBITA 33,976 Reputation points
    2024-02-10T11:18:13.1033333+00:00

    Hi @Ben Wosjke

    These objects represent security principals from trusted domains external to the forest, and allow foreign security principals to become members of groups within the domain. For more details please read this article :
    Foreign Security Principals Container

    So , If you delete all trusts , you can delete these objects without any impacted because without trust these objects haven't no role.


    Please don't forget helpful answer

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.