2009-10-02 15:21:17 +02:00
# Add default primary groups (domain users, domain guests, domain computers &
# domain controllers) - needed for the users to find valid primary groups
# (samldb module)
2009-08-26 03:51:45 +02:00
dn: CN=Domain Users,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: All domain users
objectSid: ${DOMAINSID}-513
sAMAccountName: Domain Users
isCriticalSystemObject: TRUE
dn: CN=Domain Guests,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: All domain guests
objectSid: ${DOMAINSID}-514
sAMAccountName: Domain Guests
isCriticalSystemObject: TRUE
2009-10-02 15:21:17 +02:00
dn: CN=Domain Computers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: All workstations and servers joined to the domain
objectSid: ${DOMAINSID}-515
sAMAccountName: Domain Computers
isCriticalSystemObject: TRUE
dn: CN=Domain Controllers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: All domain controllers in the domain
objectSid: ${DOMAINSID}-516
adminCount: 1
sAMAccountName: Domain Controllers
isCriticalSystemObject: TRUE
2009-08-26 03:51:45 +02:00
# Add users
2007-01-05 17:40:43 +00:00
dn: CN=Administrator,CN=Users,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectClass: user
description: Built-in account for administering the computer/domain
2010-05-13 11:22:43 +02:00
userAccountControl: 512
2005-07-27 00:23:09 +00:00
objectSid: ${DOMAINSID}-500
adminCount: 1
2008-03-06 05:56:49 -06:00
accountExpires: 9223372036854775807
2005-07-27 00:23:09 +00:00
sAMAccountName: Administrator
2010-11-09 13:22:00 +01:00
clearTextPassword:: ${ADMINPASS_B64}
2009-07-10 12:48:18 +02:00
isCriticalSystemObject: TRUE
2005-07-27 00:23:09 +00:00
2007-01-05 17:40:43 +00:00
dn: CN=Guest,CN=Users,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectClass: user
description: Built-in account for guest access to the computer/domain
2006-06-12 20:00:18 +00:00
userAccountControl: 66082
2005-07-27 00:23:09 +00:00
primaryGroupID: 514
objectSid: ${DOMAINSID}-501
sAMAccountName: Guest
isCriticalSystemObject: TRUE
2007-11-07 05:35:16 +01:00
dn: CN=krbtgt,CN=Users,${DOMAINDN}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
description: Key Distribution Center Service Account
showInAdvancedViewOnly: TRUE
userAccountControl: 514
objectSid: ${DOMAINSID}-502
adminCount: 1
accountExpires: 9223372036854775807
sAMAccountName: krbtgt
servicePrincipalName: kadmin/changepw
2010-11-09 13:22:00 +01:00
clearTextPassword:: ${KRBTGTPASS_B64}
2009-07-10 12:48:18 +02:00
isCriticalSystemObject: TRUE
2007-11-07 05:35:16 +01:00
2009-08-26 03:51:45 +02:00
# Add other groups
2010-05-13 11:13:26 +02:00
dn: CN=Enterprise Read-only Domain Controllers,CN=Users,${DOMAINDN}
2009-08-26 03:51:45 +02:00
objectClass: top
objectClass: group
2010-01-11 21:57:32 +01:00
description: Members of this group are Read-Only Domain Controllers in the enterprise
2010-01-11 21:44:18 +01:00
objectSid: ${DOMAINSID}-498
2017-08-02 12:52:22 +12:00
sAMAccountName: Enterprise Read-only Domain Controllers
2010-01-11 21:57:32 +01:00
groupType: -2147483640
2009-08-26 03:51:45 +02:00
isCriticalSystemObject: TRUE
2010-01-11 21:44:18 +01:00
dn: CN=Domain Admins,CN=Users,${DOMAINDN}
2007-11-07 05:35:16 +01:00
objectClass: top
objectClass: group
2010-01-11 21:44:18 +01:00
description: Designated administrators of the domain
2007-11-07 05:35:16 +01:00
member: CN=Administrator,CN=Users,${DOMAINDN}
2010-01-11 21:44:18 +01:00
objectSid: ${DOMAINSID}-512
2007-11-07 05:35:16 +01:00
adminCount: 1
2010-01-11 21:44:18 +01:00
sAMAccountName: Domain Admins
2007-11-07 05:35:16 +01:00
isCriticalSystemObject: TRUE
dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
2010-05-13 11:13:26 +02:00
description: Members of this group are permitted to publish certificates to the directory
2007-11-07 05:35:16 +01:00
objectSid: ${DOMAINSID}-517
sAMAccountName: Cert Publishers
2010-01-11 21:57:32 +01:00
groupType: -2147483644
2007-11-07 05:35:16 +01:00
isCriticalSystemObject: TRUE
2010-01-11 21:44:18 +01:00
dn: CN=Schema Admins,CN=Users,${DOMAINDN}
2007-11-07 05:35:16 +01:00
objectClass: top
objectClass: group
2010-01-11 21:44:18 +01:00
description: Designated administrators of the schema
2007-11-07 05:35:16 +01:00
member: CN=Administrator,CN=Users,${DOMAINDN}
2010-01-11 21:44:18 +01:00
objectSid: ${DOMAINSID}-518
2007-11-07 05:35:16 +01:00
adminCount: 1
2010-01-11 21:44:18 +01:00
sAMAccountName: Schema Admins
2010-01-11 21:57:32 +01:00
groupType: -2147483640
2007-11-07 05:35:16 +01:00
isCriticalSystemObject: TRUE
2010-01-11 21:44:18 +01:00
dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
2007-11-07 05:35:16 +01:00
objectClass: top
objectClass: group
2010-01-11 21:44:18 +01:00
description: Designated administrators of the enterprise
2007-11-07 05:35:16 +01:00
member: CN=Administrator,CN=Users,${DOMAINDN}
2010-01-11 21:44:18 +01:00
objectSid: ${DOMAINSID}-519
adminCount: 1
sAMAccountName: Enterprise Admins
2010-01-11 21:57:32 +01:00
groupType: -2147483640
2007-11-07 05:35:16 +01:00
isCriticalSystemObject: TRUE
2010-01-11 21:44:18 +01:00
dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
2007-11-07 05:35:16 +01:00
objectClass: top
objectClass: group
2010-06-24 09:14:24 +02:00
description: Members in this group can modify group policy for the domain
2010-01-11 21:44:18 +01:00
member: CN=Administrator,CN=Users,${DOMAINDN}
objectSid: ${DOMAINSID}-520
sAMAccountName: Group Policy Creator Owners
2007-11-07 05:35:16 +01:00
isCriticalSystemObject: TRUE
2010-05-13 11:13:26 +02:00
dn: CN=Read-only Domain Controllers,CN=Users,${DOMAINDN}
2008-09-29 16:01:07 -07:00
objectClass: top
objectClass: group
2010-01-11 21:57:32 +01:00
description: Members of this group are Read-Only Domain Controllers in the domain
2008-09-29 16:01:07 -07:00
objectSid: ${DOMAINSID}-521
2010-01-11 21:57:32 +01:00
adminCount: 1
2017-08-02 12:52:22 +12:00
sAMAccountName: Read-only Domain Controllers
2008-09-29 16:01:07 -07:00
isCriticalSystemObject: TRUE
2010-01-11 21:44:18 +01:00
dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
2008-09-29 16:01:07 -07:00
objectClass: top
objectClass: group
2010-01-11 21:44:18 +01:00
description: Servers in this group can access remote access properties of users
objectSid: ${DOMAINSID}-553
sAMAccountName: RAS and IAS Servers
2008-09-29 16:01:07 -07:00
groupType: -2147483644
isCriticalSystemObject: TRUE
2010-01-11 22:01:42 +01:00
dn: CN=Allowed RODC Password Replication Group,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
2010-05-13 11:13:26 +02:00
description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain
2010-01-11 22:01:42 +01:00
objectSid: ${DOMAINSID}-571
sAMAccountName: Allowed RODC Password Replication Group
groupType: -2147483644
isCriticalSystemObject: TRUE
dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
2010-05-13 11:13:26 +02:00
description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
member: CN=Read-only Domain Controllers,CN=Users,${DOMAINDN}
2010-01-11 22:01:42 +01:00
member: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
member: CN=Domain Admins,CN=Users,${DOMAINDN}
member: CN=Cert Publishers,CN=Users,${DOMAINDN}
member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
member: CN=Schema Admins,CN=Users,${DOMAINDN}
member: CN=Domain Controllers,CN=Users,${DOMAINDN}
member: CN=krbtgt,CN=Users,${DOMAINDN}
objectSid: ${DOMAINSID}-572
sAMAccountName: Denied RODC Password Replication Group
groupType: -2147483644
isCriticalSystemObject: TRUE
2022-02-01 21:04:40 +13:00
dn: CN=Protected Users,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group are afforded additional protections against authentication security threats
objectSid: ${DOMAINSID}-525
sAMAccountName: Protected Users
groupType: -2147483646
isCriticalSystemObject: TRUE
2010-01-13 17:39:28 +01:00
# NOTICE: Some other users and groups which rely on automatic SIDs are located
# in "provision_self_join_modify.ldif"
2009-09-06 19:57:50 +02:00
# Add foreign security principals
dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-4
dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-9
dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-11
2010-01-10 14:20:09 +01:00
dn: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-17
2009-09-06 19:57:50 +02:00
# Add builtin objects
2007-01-05 17:40:43 +00:00
dn: CN=Administrators,CN=Builtin,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectClass: top
objectClass: group
description: Administrators have complete and unrestricted access to the computer/domain
2007-01-05 17:40:43 +00:00
member: CN=Domain Admins,CN=Users,${DOMAINDN}
member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
member: CN=Administrator,CN=Users,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectSid: S-1-5-32-544
adminCount: 1
sAMAccountName: Administrators
2009-06-30 13:54:45 +02:00
systemFlags: -1946157056
2008-08-22 21:26:32 +10:00
groupType: -2147483643
2009-07-10 12:48:18 +02:00
isCriticalSystemObject: TRUE
2005-07-27 00:23:09 +00:00
2007-01-05 17:40:43 +00:00
dn: CN=Users,CN=Builtin,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectClass: top
objectClass: group
2010-05-13 11:13:26 +02:00
description: Users are prevented from making accidental or intentional system-wide changes and can run most applications
2007-01-05 17:40:43 +00:00
member: CN=Domain Users,CN=Users,${DOMAINDN}
2009-09-06 19:57:50 +02:00
member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectSid: S-1-5-32-545
sAMAccountName: Users
2009-06-30 13:54:45 +02:00
systemFlags: -1946157056
2008-08-22 21:26:32 +10:00
groupType: -2147483643
2005-07-27 00:23:09 +00:00
isCriticalSystemObject: TRUE
2007-01-05 17:40:43 +00:00
dn: CN=Guests,CN=Builtin,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectClass: top
objectClass: group
description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
2007-01-05 17:40:43 +00:00
member: CN=Domain Guests,CN=Users,${DOMAINDN}
member: CN=Guest,CN=Users,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectSid: S-1-5-32-546
sAMAccountName: Guests
2009-06-30 13:54:45 +02:00
systemFlags: -1946157056
2008-08-22 21:26:32 +10:00
groupType: -2147483643
2005-07-27 00:23:09 +00:00
isCriticalSystemObject: TRUE
2010-01-11 21:44:18 +01:00
dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members can administer domain user and group accounts
objectSid: S-1-5-32-548
adminCount: 1
sAMAccountName: Account Operators
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members can administer domain servers
objectSid: S-1-5-32-549
adminCount: 1
sAMAccountName: Server Operators
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
2007-01-05 17:40:43 +00:00
dn: CN=Print Operators,CN=Builtin,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectClass: top
objectClass: group
description: Members can administer domain printers
objectSid: S-1-5-32-550
adminCount: 1
sAMAccountName: Print Operators
2009-06-30 13:54:45 +02:00
systemFlags: -1946157056
2008-08-22 21:26:32 +10:00
groupType: -2147483643
2009-07-10 12:48:18 +02:00
isCriticalSystemObject: TRUE
2005-07-27 00:23:09 +00:00
2007-01-05 17:40:43 +00:00
dn: CN=Backup Operators,CN=Builtin,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectClass: top
objectClass: group
description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
objectSid: S-1-5-32-551
adminCount: 1
sAMAccountName: Backup Operators
2009-06-30 13:54:45 +02:00
systemFlags: -1946157056
2008-08-22 21:26:32 +10:00
groupType: -2147483643
2009-07-10 12:48:18 +02:00
isCriticalSystemObject: TRUE
2005-07-27 00:23:09 +00:00
2007-01-05 17:40:43 +00:00
dn: CN=Replicator,CN=Builtin,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectClass: top
objectClass: group
description: Supports file replication in a domain
objectSid: S-1-5-32-552
adminCount: 1
sAMAccountName: Replicator
2009-06-30 13:54:45 +02:00
systemFlags: -1946157056
2008-08-22 21:26:32 +10:00
groupType: -2147483643
2005-07-27 00:23:09 +00:00
isCriticalSystemObject: TRUE
2010-01-11 21:44:18 +01:00
dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: A backward compatibility group which allows read access on all users and groups in the domain
member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-554
sAMAccountName: Pre-Windows 2000 Compatible Access
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
2007-01-05 17:40:43 +00:00
dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectClass: top
objectClass: group
description: Members in this group are granted the right to logon remotely
objectSid: S-1-5-32-555
sAMAccountName: Remote Desktop Users
2009-06-30 13:54:45 +02:00
systemFlags: -1946157056
2008-08-22 21:26:32 +10:00
groupType: -2147483643
2005-07-27 00:23:09 +00:00
isCriticalSystemObject: TRUE
2007-01-05 17:40:43 +00:00
dn: CN=Network Configuration Operators,CN=Builtin,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectClass: top
objectClass: group
description: Members in this group can have some administrative privileges to manage configuration of networking features
objectSid: S-1-5-32-556
sAMAccountName: Network Configuration Operators
2009-06-30 13:54:45 +02:00
systemFlags: -1946157056
2008-08-22 21:26:32 +10:00
groupType: -2147483643
2005-07-27 00:23:09 +00:00
isCriticalSystemObject: TRUE
2010-01-11 21:44:18 +01:00
dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group can create incoming, one-way trusts to this forest
objectSid: S-1-5-32-557
sAMAccountName: Incoming Forest Trust Builders
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
2007-01-05 17:40:43 +00:00
dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectClass: top
objectClass: group
2010-05-13 11:13:26 +02:00
description: Members of this group can access performance counter data locally and remotely
2005-07-27 00:23:09 +00:00
objectSid: S-1-5-32-558
sAMAccountName: Performance Monitor Users
2009-06-30 13:54:45 +02:00
systemFlags: -1946157056
2008-08-22 21:26:32 +10:00
groupType: -2147483643
2005-07-27 00:23:09 +00:00
isCriticalSystemObject: TRUE
2007-01-05 17:40:43 +00:00
dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
2005-07-27 00:23:09 +00:00
objectClass: top
objectClass: group
2010-05-13 11:13:26 +02:00
description: Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer
2005-07-27 00:23:09 +00:00
objectSid: S-1-5-32-559
sAMAccountName: Performance Log Users
2009-06-30 13:54:45 +02:00
systemFlags: -1946157056
2008-08-22 21:26:32 +10:00
groupType: -2147483643
2005-07-27 00:23:09 +00:00
isCriticalSystemObject: TRUE
2007-08-27 02:26:24 +00:00
dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
2009-09-06 19:57:50 +02:00
member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
2007-08-27 02:26:24 +00:00
objectSid: S-1-5-32-560
sAMAccountName: Windows Authorization Access Group
2009-06-30 13:54:45 +02:00
systemFlags: -1946157056
2008-08-22 21:26:32 +10:00
groupType: -2147483643
2007-08-27 02:26:24 +00:00
isCriticalSystemObject: TRUE
dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
2010-05-13 11:13:26 +02:00
description: Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage
2007-08-27 02:26:24 +00:00
objectSid: S-1-5-32-561
sAMAccountName: Terminal Server License Servers
2009-06-30 13:54:45 +02:00
systemFlags: -1946157056
2008-08-22 21:26:32 +10:00
groupType: -2147483643
2007-08-27 02:26:24 +00:00
isCriticalSystemObject: TRUE
dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
objectSid: S-1-5-32-562
sAMAccountName: Distributed COM Users
2009-06-30 13:54:45 +02:00
systemFlags: -1946157056
2008-08-22 21:26:32 +10:00
groupType: -2147483643
2007-08-27 02:26:24 +00:00
isCriticalSystemObject: TRUE
2010-01-10 14:20:09 +01:00
dn: CN=IIS_IUSRS,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
2010-05-13 11:13:26 +02:00
description: Built-in group used by Internet Information Services.
2010-01-10 14:20:09 +01:00
member: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-568
sAMAccountName: IIS_IUSRS
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
2010-01-11 22:12:01 +01:00
dn: CN=Cryptographic Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members are authorized to perform cryptographic operations.
objectSid: S-1-5-32-569
sAMAccountName: Cryptographic Operators
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
dn: CN=Event Log Readers,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
2010-05-13 11:13:26 +02:00
description: Members of this group can read event logs from local machine
2010-01-11 22:12:01 +01:00
objectSid: S-1-5-32-573
sAMAccountName: Event Log Readers
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
dn: CN=Certificate Service DCOM Access,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
2010-05-13 11:13:26 +02:00
description: Members of this group are allowed to connect to Certification Authorities in the enterprise
2010-01-11 22:12:01 +01:00
objectSid: S-1-5-32-574
sAMAccountName: Certificate Service DCOM Access
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
