1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
samba-mirror/source4/setup/provision_users.ldif
Matthias Dieter Wallnöfer 90d6829f8a s4:Foreign security principals - Fix them up
I fixed them up to match with Windows Server 2003. I don't think that the
creation of them in the provision script is needed so I put them in the
"provision_users.ldif" file.
2009-09-07 08:37:25 +02:00

556 lines
16 KiB
Plaintext

# Add default primary groups (domain users, domain guests) - needed for
# the users to find valid primary groups (samldb module)
dn: CN=Domain Users,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: All domain users
objectSid: ${DOMAINSID}-513
sAMAccountName: Domain Users
isCriticalSystemObject: TRUE
dn: CN=Domain Guests,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: All domain guests
objectSid: ${DOMAINSID}-514
sAMAccountName: Domain Guests
isCriticalSystemObject: TRUE
# Add users
dn: CN=Administrator,CN=Users,${DOMAINDN}
objectClass: user
description: Built-in account for administering the computer/domain
userAccountControl: 66048
objectSid: ${DOMAINSID}-500
adminCount: 1
accountExpires: 9223372036854775807
sAMAccountName: Administrator
userPassword:: ${ADMINPASS_B64}
isCriticalSystemObject: TRUE
dn: CN=Guest,CN=Users,${DOMAINDN}
objectClass: user
description: Built-in account for guest access to the computer/domain
userAccountControl: 66082
primaryGroupID: 514
objectSid: ${DOMAINSID}-501
sAMAccountName: Guest
isCriticalSystemObject: TRUE
dn: CN=krbtgt,CN=Users,${DOMAINDN}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
description: Key Distribution Center Service Account
showInAdvancedViewOnly: TRUE
userAccountControl: 514
objectSid: ${DOMAINSID}-502
adminCount: 1
accountExpires: 9223372036854775807
sAMAccountName: krbtgt
servicePrincipalName: kadmin/changepw
userPassword:: ${KRBTGTPASS_B64}
isCriticalSystemObject: TRUE
# Add other groups
dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Designated administrators of the enterprise
member: CN=Administrator,CN=Users,${DOMAINDN}
objectSid: ${DOMAINSID}-519
adminCount: 1
sAMAccountName: Enterprise Admins
isCriticalSystemObject: TRUE
dn: CN=Domain Computers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: All workstations and servers joined to the domain
objectSid: ${DOMAINSID}-515
sAMAccountName: Domain Computers
isCriticalSystemObject: TRUE
dn: CN=Domain Controllers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: All domain controllers in the domain
objectSid: ${DOMAINSID}-516
adminCount: 1
sAMAccountName: Domain Controllers
isCriticalSystemObject: TRUE
dn: CN=Schema Admins,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Designated administrators of the schema
member: CN=Administrator,CN=Users,${DOMAINDN}
objectSid: ${DOMAINSID}-518
adminCount: 1
sAMAccountName: Schema Admins
isCriticalSystemObject: TRUE
dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group are permitted to publish certificates to the Active Directory
groupType: -2147483644
objectSid: ${DOMAINSID}-517
sAMAccountName: Cert Publishers
isCriticalSystemObject: TRUE
dn: CN=Domain Admins,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Designated administrators of the domain
member: CN=Administrator,CN=Users,${DOMAINDN}
objectSid: ${DOMAINSID}-512
adminCount: 1
sAMAccountName: Domain Admins
isCriticalSystemObject: TRUE
dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Members in this group can modify group policy for the domain
member: CN=Administrator,CN=Users,${DOMAINDN}
objectSid: ${DOMAINSID}-520
sAMAccountName: Group Policy Creator Owners
isCriticalSystemObject: TRUE
dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Servers in this group can access remote access properties of users
objectSid: ${DOMAINSID}-553
sAMAccountName: RAS and IAS Servers
groupType: -2147483644
isCriticalSystemObject: TRUE
dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: read-only domain controllers
objectSid: ${DOMAINSID}-521
sAMAccountName: Read-Only Domain Controllers
groupType: -2147483644
isCriticalSystemObject: TRUE
dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: enterprise read-only domain controllers
objectSid: ${DOMAINSID}-498
sAMAccountName: Enterprise Read-Only Domain Controllers
groupType: -2147483644
isCriticalSystemObject: TRUE
dn: CN=Certificate Service DCOM Access,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Certificate Service DCOM Access
objectSid: ${DOMAINSID}-574
sAMAccountName: Certificate Service DCOM Access
groupType: -2147483644
isCriticalSystemObject: TRUE
dn: CN=Cryptographic Operators,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Cryptographic Operators
objectSid: ${DOMAINSID}-569
sAMAccountName: Cryptographic Operators
groupType: -2147483644
isCriticalSystemObject: TRUE
dn: CN=Event Log Readers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Event Log Readers
objectSid: ${DOMAINSID}-573
sAMAccountName: Event Log Readers
groupType: -2147483644
isCriticalSystemObject: TRUE
# Add foreign security principals
dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-4
dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-9
dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-11
dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-20
# Add builtin objects
dn: CN=Administrators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Administrators have complete and unrestricted access to the computer/domain
member: CN=Domain Admins,CN=Users,${DOMAINDN}
member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
member: CN=Administrator,CN=Users,${DOMAINDN}
objectSid: S-1-5-32-544
adminCount: 1
sAMAccountName: Administrators
systemFlags: -1946157056
groupType: -2147483643
privilege: SeSecurityPrivilege
privilege: SeBackupPrivilege
privilege: SeRestorePrivilege
privilege: SeSystemtimePrivilege
privilege: SeShutdownPrivilege
privilege: SeRemoteShutdownPrivilege
privilege: SeTakeOwnershipPrivilege
privilege: SeDebugPrivilege
privilege: SeSystemEnvironmentPrivilege
privilege: SeSystemProfilePrivilege
privilege: SeProfileSingleProcessPrivilege
privilege: SeIncreaseBasePriorityPrivilege
privilege: SeLoadDriverPrivilege
privilege: SeCreatePagefilePrivilege
privilege: SeIncreaseQuotaPrivilege
privilege: SeChangeNotifyPrivilege
privilege: SeUndockPrivilege
privilege: SeManageVolumePrivilege
privilege: SeImpersonatePrivilege
privilege: SeCreateGlobalPrivilege
privilege: SeEnableDelegationPrivilege
privilege: SeInteractiveLogonRight
privilege: SeNetworkLogonRight
privilege: SeRemoteInteractiveLogonRight
isCriticalSystemObject: TRUE
dn: CN=Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
member: CN=Domain Users,CN=Users,${DOMAINDN}
member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-545
sAMAccountName: Users
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
dn: CN=Guests,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
member: CN=Domain Guests,CN=Users,${DOMAINDN}
member: CN=Guest,CN=Users,${DOMAINDN}
objectSid: S-1-5-32-546
sAMAccountName: Guests
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
dn: CN=Print Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members can administer domain printers
objectSid: S-1-5-32-550
adminCount: 1
sAMAccountName: Print Operators
systemFlags: -1946157056
groupType: -2147483643
privilege: SeLoadDriverPrivilege
privilege: SeShutdownPrivilege
privilege: SeInteractiveLogonRight
isCriticalSystemObject: TRUE
dn: CN=Backup Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
objectSid: S-1-5-32-551
adminCount: 1
sAMAccountName: Backup Operators
systemFlags: -1946157056
groupType: -2147483643
privilege: SeBackupPrivilege
privilege: SeRestorePrivilege
privilege: SeShutdownPrivilege
privilege: SeInteractiveLogonRight
isCriticalSystemObject: TRUE
dn: CN=Replicator,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Supports file replication in a domain
objectSid: S-1-5-32-552
adminCount: 1
sAMAccountName: Replicator
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members in this group are granted the right to logon remotely
objectSid: S-1-5-32-555
sAMAccountName: Remote Desktop Users
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
dn: CN=Network Configuration Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members in this group can have some administrative privileges to manage configuration of networking features
objectSid: S-1-5-32-556
sAMAccountName: Network Configuration Operators
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group have remote access to monitor this computer
objectSid: S-1-5-32-558
sAMAccountName: Performance Monitor Users
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group have remote access to schedule logging of performance counters on this computer
member: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-559
sAMAccountName: Performance Log Users
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members can administer domain servers
objectSid: S-1-5-32-549
adminCount: 1
sAMAccountName: Server Operators
systemFlags: -1946157056
groupType: -2147483643
privilege: SeBackupPrivilege
privilege: SeSystemtimePrivilege
privilege: SeRemoteShutdownPrivilege
privilege: SeRestorePrivilege
privilege: SeShutdownPrivilege
privilege: SeInteractiveLogonRight
isCriticalSystemObject: TRUE
dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members can administer domain user and group accounts
objectSid: S-1-5-32-548
adminCount: 1
sAMAccountName: Account Operators
systemFlags: -1946157056
groupType: -2147483643
privilege: SeInteractiveLogonRight
isCriticalSystemObject: TRUE
dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: A backward compatibility group which allows read access on all users and groups in the domain
member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-554
sAMAccountName: Pre-Windows 2000 Compatible Access
systemFlags: -1946157056
groupType: -2147483643
privilege: SeRemoteInteractiveLogonRight
privilege: SeChangeNotifyPrivilege
isCriticalSystemObject: TRUE
dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group can create incoming, one-way trusts to this forest
objectSid: S-1-5-32-557
sAMAccountName: Incoming Forest Trust Builders
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-560
sAMAccountName: Windows Authorization Access Group
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Terminal Server License Servers
objectSid: S-1-5-32-561
sAMAccountName: Terminal Server License Servers
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
objectSid: S-1-5-32-562
sAMAccountName: Distributed COM Users
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
# Add well known security principals
dn: CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: container
systemFlags: -2147483648
dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-7
dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-11
dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-3
dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-3-1
dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-3-0
dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-1
dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-64-21
dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-9
dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-1-0
dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-4
dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-19
dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-2
dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-20
dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-64-10
dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-1000
dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-8
dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-14
dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-12
dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-64-14
dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-10
dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-6
dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-13
dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-15
dn: CN=Well-Known-Security-Id-System,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-18