Share via

Active Directory: Foreign Security Principals and Special Identities

Introduction

A foreign security principal (sometimes referred to by the acronym FSP) is an object created by the Active Directory system to represent a security principal in a trusted external forest. FSPs can also represent special identities, such as the "Authenticated Users" group. This allows the external security principals and special identities to be added to domain local security groups in the domain and granted permissions to resources.

Definition of Terms

It will help to clarify the relevant terms.

Return to Top

Security Principal

A security principal is an object in Active Directory to which security can be applied. A security principal must have the objectSID attribute, so it can be the trustee in an Access Control Entry (ACE). Examples are user, computer, and security group objects in AD. Contacts, distribution groups, Organizational Units, and containers are not security principals. Foreign security principals have the objectSID attribute and are security principals.

Return to Top

SID

SID is an acronym for Security Identifier. All objects in Active Directory that are security principals have the objectSID attribute (a byte array), which is a SID. The SID uniquely identifies the object in the AD partition for security permissions. The SID value includes several components, the last of which is called the RID (Relative ID). For example, the SID of a user object could be similar to S-1-5-21-73588362-491711520-221158395-1167. In this case, the RID is 1167. The SID without the RID is the same for all objects in the domain (except foreign security principals and objects with well-known SIDs). Each security principal in an Active Directory partition will have its own unique RID value.

Return to Top

GUID

GUID is an acronym for Globally Unique Identifier. This is a 128-bit value that uniquely identifies an object. The value is usually displayed as 16 hexadecimal bytes (2 hex characters each). Every object in Active Directory has an objectGUID attribute (a byte array), which is the GUID of the object.

Return to Top

Foreign Security Principal

A Foreign Security Principal (FSP) is an object created by the system to represent a security principal in a trusted external forest. These objects are created in the Foreign Security Principals container of the domain. They can be added to domain local security groups and granted permissions. Foreign Security Principal objects can also represent special identities, such as Authenticated Users, Anonymous Logon, and Enterprise Domain Controllers. The FSP for a special identity is created when the special identity is added to a group. This allows them to be granted permissions. Each FSP object is essentially a placeholder that holds the SID of the foreign object. Using this SID, Windows can resolve its friendly name using the trust relation when this is needed by tools like Active Directory Users and Computers.

Return to Top

Foreign Security Principal Container

This is the container in the domain where the system creates the foreign security principal objects. If the DNS name of the domain is MyDomain.com, then the distinguished name of this container would be "cn=ForeignSecurityPrincipals,dc=MyDomain,dc=com". The container is shown in this image of Active Directory Users and Computers (ADUC).

Return to Top

Well-Known SIDs

Default identities in Active Directory that are security principals have well-known SIDs. They have objectSID values that are independent of the domain. For example, the default "Authenticated Users" group has the well-known SID "S-1-5-11". The "Anonymous Logon" group has the well-known SID "S-1-5-7".

Return to Top

Special Identities (or Implicit Identities)

These are default groups in Active Directory whose memberships are set by the system, either implicitly during logon or explicitly through security access permissions. They have well-known SID values. Although the special identity groups can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Group scopes do not apply to special identities. Users are automatically assigned to these special identities whenever they sign in or access a particular resource. When you add a special identity to a group, Active Directory will at that point create an FSP object (if it does not yet exist) in the foreign security principal container to match the identity.

Return to Top

WellKnown Security Principals Container

This is the container for objects with well-known SIDs, such as the special identities. It is located in the Configuration partition of the forest. If the DNS name of the forest is MyDomain.com, then the distinguished name of this container would be "cn=WellKnown Security Principals,cn=Configuration,dc=MyDomain,dc=com". The container is shown in this image of ADSI Edit.

Return to Top

Attributes of Special Identities and WellKnown Security Principals

The following table compares some of the attributes of the "Anonymous Logon" special identity (in the Foreign Security Principal container) with those of the corresponding well-known SID object (in the WellKnown Security Principals container).

Container Name objectSID objectGUID
CN=ForeignSecurityPrincipals S-1-5-7 S-1-5-7 C9426CF9xxxxxxxxxxxxxxxx0DFE6E01
CN=WellKnown Security Principals,CN=Configuration Anonymous Logon S-1-5-7 BCBD2C2Axxxxxxxxxxxxxxxx8A1BA1F5

Notice that the two objects have different GUID values and Relative Distinguished Names, but the same SID values. They can have the same SID because they are in different partitions. In the same manner, a foreign security principal in one forest and the corresponding security principal in an external forest will have the same SID. This is allowed because the objects are in different forests.

Return to Top

See Also

Return to Top

Other Resources

Return to Top