System Changed Directory Objects for Foreign Security Principals

Question

Why were changes to the directory objects for Foreign Security Principals reported as made by System?

Answer

This behavior is expected. The Foreign Security Principals container in Active Directory represent security principals from trusted domains external to the forest. It allows foreign security principals to become members of groups within the domain. The Foreign Security Principals objects are created automatically by Active Directory represented by System. Changes of foreignSecurityPrincipal objects reported as made by System are reported as intended.

For additional information on the Foreign Security Principals container and the Foreign Security Principals objects, refer to the following Microsoft articles: When to Create an External Trust and How Security Principals Work.