If all of the following conditions are true, the subsequent constraint MUST be satisfied:
The dsname value does not resolve to an existing object in the domain NC.
The server is in a DC configuration, and the domain prefix of the SID value is not equal to any domain SID in the forest; or the server is in a non-DC configuration, and the value is different than the account domain security identifier.
A new object with the following characteristics MUST be created with the following attributes and values. The dsname value added to the member attribute MUST reference this object.
The SID value of the new dsname value.
The parent MUST be the well-known object container for foreign principal objects. (More information about this container is specified in [MS-ADTS] section 188.8.131.52.) There is no constraint on the relative distinguished name (RDN) value.
The default security descriptor for foreignSecurityPrincipal objects; the Owner and Group fields of the security descriptor value MUST be the Domain Admins SID from the domain in which the object is created.
If the groupType is GROUP_TYPE_SECURITY_ACCOUNT, all of the following constraints MUST be satisfied:
If the domain is in native mode, the member values MUST satisfy at least one of the following criteria:
The member value refers to a user account.
The member value refers to a group account whose groupType is GROUP_TYPE_SECURITY_ACCOUNT.
If the groupType is GROUP_TYPE_SECURITY_RESOURCE, all of the following constraints MUST be satisfied:
If the domain is in mixed mode, the member values MUST either refer to user objects (or objects derived from user) or refer to group objects whose groupType is GROUP_TYPE_SECURITY_ACCOUNT.
If the domain is in native mode, the constraint shown above is relaxed to include member values that refer to group objects whose groupType is GROUP_TYPE_SECURITY_RESOURCE.
If the groupType contains the GROUP_TYPE_UNIVERSAL_GROUP, each member value MUST satisfy at least one of the following conditions:
The value refers to a user object (or an object derived from user).
The value refers to a group object (or an object derived from group) with a groupType attribute that contains GROUP_TYPE_ACCOUNT_GROUP or GROUP_TYPE_UNIVERSAL_GROUP.