{"id":4784,"date":"2025-10-08T20:03:00","date_gmt":"2025-10-09T00:03:00","guid":{"rendered":"https:\/\/adsecurity.org\/?p=4784"},"modified":"2026-02-27T13:16:55","modified_gmt":"2026-02-27T18:16:55","slug":"active-directory-security-tip-13-kerberos-delegation","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=4784","title":{"rendered":"Active Directory Security Tip #13: Reviewing Foreign Security Principals (FSPs)"},"content":{"rendered":"\n

Review the membership of groups for accounts and groups from another Active Directory forest (technically another domain, but using forest here). These are called “Foreign Security Principals<\/a>” (FSPs) like the ones highlighted in the image. These FSPs are accounts that exist in another forest but have rights in the AD forest.

Any FSPs should be scrutinized and removed if not required. It’s important to review and strictly control these since they may be highly privileged. In this example, compromise of another AD forest (TRDNET) would result in compromise of the current AD forest (Trd.com). <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n


PowerShell script to scan privileged groups for FSPs<\/strong>:
https:\/\/github.com\/PyroTek3\/ActiveDirectory\/blob\/main\/Invoke-FindPrivilegedFSPs.ps1<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Review the membership of groups for accounts and groups from another Active Directory forest (technically another domain, but using forest here). These are called “Foreign Security Principals” (FSPs) like the ones highlighted in the image. These FSPs are accounts that exist in another forest but have rights in the AD forest. Any FSPs should be … <\/p>\n

Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[565,7,2],"tags":[20,1469,1533,1535,1534],"class_list":["post-4784","post","type-post","status-publish","format-standard","hentry","category-activedirectorysecurity","category-powershell","category-technical-reference","tag-activedirectory","tag-activedirectorysecuritytip","tag-foreignsecurityprincipals","tag-fsp","tag-fsps","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4784","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4784"}],"version-history":[{"count":4,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4784\/revisions"}],"predecessor-version":[{"id":4964,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4784\/revisions\/4964"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4784"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4784"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4784"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}