PrincipalSource Is Needed to Disambiguate Between Domain and Local Identities

[jessiewestlake]

You mention that PrincipalSource was removed and that it is unclear what its use is.

In an Active Directory domain-joined environment, the PrincipalSource property identifies whether the User/Group is Local or ActiveDirectory among, potentially, other sources.

This is important for querying and filtering logic in scripts, and also for ensuring the correct account is being referenced when performing operations, such as in a case where a local account/group could be created with the same name as an AD user/group. See the following example outputs of both versions of Get-LocalGroupMember.

Then, imagine a scenario where the computer/server name is the same as the domain name and you have yourself a real problem. Without the PrincipalSource property, you have to parse the SID to know what is what.

ObjectClass Name                             PrincipalSource
----------- ----                             ---------------
User        WIN19DB1\adminuser               Local
Group       CORP\East-Finance-Management_All ActiveDirectory
User        CORP\jamesdoe                    ActiveDirectory

versus

ObjectClass Name                             SID
----------- ----                             ---
User        WIN19DB1\adminuser               S-1-5-21-1900596688-9005915065-8082236634-500
Group       CORP\East-Finance-Management_All S-1-5-21-308883139-8676065911-314349800-606202
User        CORP\jamesdoe                    S-1-5-21-308883139-8676065911-314349800-254363