6.1.1.4.10 Foreign Security Principals Container

In AD DS, each domain NC contains a well-known Foreign Security Principals container. This container holds objects of class foreignSecurityPrincipal. These objects represent security principals from trusted domains external to the forest, and allow foreign security principals to become members of groups within the domain.

In AD LDS, the config NC contains a well-known Foreign Security Principals container. It stores foreign security principals from outside of the AD LDS forest.

In an AD LDS application NC, a Foreign Security Principals container is created (and the corresponding value created in the wellKnownObjects attribute) when the first foreignSecurityPrincipal object is created in the application NC.

The automatic creation of foreignSecurityPrincipal objects is specified in sections 3.1.1.5.2.4 and 3.1.1.5.3.3).

name: ForeignSecurityPrincipals

parent: domain NC root on AD DS; Config NC root on AD LDS.

objectClass: container

systemFlags (on AD DS): {FLAG_DISALLOW_DELETE | FLAG_DOMAIN_DISALLOW_RENAME | FLAG_DOMAIN_DISALLOW_MOVE}

systemFlags (on AD LDS): {FLAG_DISALLOW_DELETE}

isCriticalSystemObject: TRUE