1 # Add default primary groups (domain users, domain guests, domain computers &
2 # domain controllers) - needed for the users to find valid primary groups
5 dn: CN=Domain Users,CN=Users,${DOMAINDN}
8 description: All domain users
9 objectSid: ${DOMAINSID}-513
10 sAMAccountName: Domain Users
11 isCriticalSystemObject: TRUE
13 dn: CN=Domain Guests,CN=Users,${DOMAINDN}
16 description: All domain guests
17 objectSid: ${DOMAINSID}-514
18 sAMAccountName: Domain Guests
19 isCriticalSystemObject: TRUE
21 dn: CN=Domain Computers,CN=Users,${DOMAINDN}
24 description: All workstations and servers joined to the domain
25 objectSid: ${DOMAINSID}-515
26 sAMAccountName: Domain Computers
27 isCriticalSystemObject: TRUE
29 dn: CN=Domain Controllers,CN=Users,${DOMAINDN}
32 description: All domain controllers in the domain
33 objectSid: ${DOMAINSID}-516
35 sAMAccountName: Domain Controllers
36 isCriticalSystemObject: TRUE
40 dn: CN=Administrator,CN=Users,${DOMAINDN}
42 description: Built-in account for administering the computer/domain
43 userAccountControl: 512
44 objectSid: ${DOMAINSID}-500
46 accountExpires: 9223372036854775807
47 sAMAccountName: Administrator
48 clearTextPassword:: ${ADMINPASS_B64}
49 isCriticalSystemObject: TRUE
51 dn: CN=Guest,CN=Users,${DOMAINDN}
53 description: Built-in account for guest access to the computer/domain
54 userAccountControl: 66082
56 objectSid: ${DOMAINSID}-501
58 isCriticalSystemObject: TRUE
60 dn: CN=krbtgt,CN=Users,${DOMAINDN}
63 objectClass: organizationalPerson
65 description: Key Distribution Center Service Account
66 showInAdvancedViewOnly: TRUE
67 userAccountControl: 514
68 objectSid: ${DOMAINSID}-502
70 accountExpires: 9223372036854775807
71 sAMAccountName: krbtgt
72 servicePrincipalName: kadmin/changepw
73 clearTextPassword:: ${KRBTGTPASS_B64}
74 isCriticalSystemObject: TRUE
78 dn: CN=Enterprise Read-only Domain Controllers,CN=Users,${DOMAINDN}
81 description: Members of this group are Read-Only Domain Controllers in the enterprise
82 objectSid: ${DOMAINSID}-498
83 sAMAccountName: Enterprise Read-only Domain Controllers
84 groupType: -2147483640
85 isCriticalSystemObject: TRUE
87 dn: CN=Domain Admins,CN=Users,${DOMAINDN}
90 description: Designated administrators of the domain
91 member: CN=Administrator,CN=Users,${DOMAINDN}
92 objectSid: ${DOMAINSID}-512
94 sAMAccountName: Domain Admins
95 isCriticalSystemObject: TRUE
97 dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
100 description: Members of this group are permitted to publish certificates to the directory
101 objectSid: ${DOMAINSID}-517
102 sAMAccountName: Cert Publishers
103 groupType: -2147483644
104 isCriticalSystemObject: TRUE
106 dn: CN=Schema Admins,CN=Users,${DOMAINDN}
109 description: Designated administrators of the schema
110 member: CN=Administrator,CN=Users,${DOMAINDN}
111 objectSid: ${DOMAINSID}-518
113 sAMAccountName: Schema Admins
114 groupType: -2147483640
115 isCriticalSystemObject: TRUE
117 dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
120 description: Designated administrators of the enterprise
121 member: CN=Administrator,CN=Users,${DOMAINDN}
122 objectSid: ${DOMAINSID}-519
124 sAMAccountName: Enterprise Admins
125 groupType: -2147483640
126 isCriticalSystemObject: TRUE
128 dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
131 description: Members in this group can modify group policy for the domain
132 member: CN=Administrator,CN=Users,${DOMAINDN}
133 objectSid: ${DOMAINSID}-520
134 sAMAccountName: Group Policy Creator Owners
135 isCriticalSystemObject: TRUE
137 dn: CN=Read-only Domain Controllers,CN=Users,${DOMAINDN}
140 description: Members of this group are Read-Only Domain Controllers in the domain
141 objectSid: ${DOMAINSID}-521
143 sAMAccountName: Read-only Domain Controllers
144 isCriticalSystemObject: TRUE
146 dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
149 description: Servers in this group can access remote access properties of users
150 objectSid: ${DOMAINSID}-553
151 sAMAccountName: RAS and IAS Servers
152 groupType: -2147483644
153 isCriticalSystemObject: TRUE
155 dn: CN=Allowed RODC Password Replication Group,CN=Users,${DOMAINDN}
158 description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain
159 objectSid: ${DOMAINSID}-571
160 sAMAccountName: Allowed RODC Password Replication Group
161 groupType: -2147483644
162 isCriticalSystemObject: TRUE
164 dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN}
167 description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
168 member: CN=Read-only Domain Controllers,CN=Users,${DOMAINDN}
169 member: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
170 member: CN=Domain Admins,CN=Users,${DOMAINDN}
171 member: CN=Cert Publishers,CN=Users,${DOMAINDN}
172 member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
173 member: CN=Schema Admins,CN=Users,${DOMAINDN}
174 member: CN=Domain Controllers,CN=Users,${DOMAINDN}
175 member: CN=krbtgt,CN=Users,${DOMAINDN}
176 objectSid: ${DOMAINSID}-572
177 sAMAccountName: Denied RODC Password Replication Group
178 groupType: -2147483644
179 isCriticalSystemObject: TRUE
181 # NOTICE: Some other users and groups which rely on automatic SIDs are located
182 # in "provision_self_join_modify.ldif"
184 # Add foreign security principals
186 dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
188 objectClass: foreignSecurityPrincipal
191 dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
193 objectClass: foreignSecurityPrincipal
196 dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
198 objectClass: foreignSecurityPrincipal
201 dn: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
203 objectClass: foreignSecurityPrincipal
206 # Add builtin objects
208 dn: CN=Administrators,CN=Builtin,${DOMAINDN}
211 description: Administrators have complete and unrestricted access to the computer/domain
212 member: CN=Domain Admins,CN=Users,${DOMAINDN}
213 member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
214 member: CN=Administrator,CN=Users,${DOMAINDN}
215 objectSid: S-1-5-32-544
217 sAMAccountName: Administrators
218 systemFlags: -1946157056
219 groupType: -2147483643
220 isCriticalSystemObject: TRUE
222 dn: CN=Users,CN=Builtin,${DOMAINDN}
225 description: Users are prevented from making accidental or intentional system-wide changes and can run most applications
226 member: CN=Domain Users,CN=Users,${DOMAINDN}
227 member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
228 member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
229 objectSid: S-1-5-32-545
230 sAMAccountName: Users
231 systemFlags: -1946157056
232 groupType: -2147483643
233 isCriticalSystemObject: TRUE
235 dn: CN=Guests,CN=Builtin,${DOMAINDN}
238 description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
239 member: CN=Domain Guests,CN=Users,${DOMAINDN}
240 member: CN=Guest,CN=Users,${DOMAINDN}
241 objectSid: S-1-5-32-546
242 sAMAccountName: Guests
243 systemFlags: -1946157056
244 groupType: -2147483643
245 isCriticalSystemObject: TRUE
247 dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
250 description: Members can administer domain user and group accounts
251 objectSid: S-1-5-32-548
253 sAMAccountName: Account Operators
254 systemFlags: -1946157056
255 groupType: -2147483643
256 isCriticalSystemObject: TRUE
258 dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
261 description: Members can administer domain servers
262 objectSid: S-1-5-32-549
264 sAMAccountName: Server Operators
265 systemFlags: -1946157056
266 groupType: -2147483643
267 isCriticalSystemObject: TRUE
269 dn: CN=Print Operators,CN=Builtin,${DOMAINDN}
272 description: Members can administer domain printers
273 objectSid: S-1-5-32-550
275 sAMAccountName: Print Operators
276 systemFlags: -1946157056
277 groupType: -2147483643
278 isCriticalSystemObject: TRUE
280 dn: CN=Backup Operators,CN=Builtin,${DOMAINDN}
283 description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
284 objectSid: S-1-5-32-551
286 sAMAccountName: Backup Operators
287 systemFlags: -1946157056
288 groupType: -2147483643
289 isCriticalSystemObject: TRUE
291 dn: CN=Replicator,CN=Builtin,${DOMAINDN}
294 description: Supports file replication in a domain
295 objectSid: S-1-5-32-552
297 sAMAccountName: Replicator
298 systemFlags: -1946157056
299 groupType: -2147483643
300 isCriticalSystemObject: TRUE
302 dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
305 description: A backward compatibility group which allows read access on all users and groups in the domain
306 member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
307 objectSid: S-1-5-32-554
308 sAMAccountName: Pre-Windows 2000 Compatible Access
309 systemFlags: -1946157056
310 groupType: -2147483643
311 isCriticalSystemObject: TRUE
313 dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN}
316 description: Members in this group are granted the right to logon remotely
317 objectSid: S-1-5-32-555
318 sAMAccountName: Remote Desktop Users
319 systemFlags: -1946157056
320 groupType: -2147483643
321 isCriticalSystemObject: TRUE
323 dn: CN=Network Configuration Operators,CN=Builtin,${DOMAINDN}
326 description: Members in this group can have some administrative privileges to manage configuration of networking features
327 objectSid: S-1-5-32-556
328 sAMAccountName: Network Configuration Operators
329 systemFlags: -1946157056
330 groupType: -2147483643
331 isCriticalSystemObject: TRUE
333 dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
336 description: Members of this group can create incoming, one-way trusts to this forest
337 objectSid: S-1-5-32-557
338 sAMAccountName: Incoming Forest Trust Builders
339 systemFlags: -1946157056
340 groupType: -2147483643
341 isCriticalSystemObject: TRUE
343 dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
346 description: Members of this group can access performance counter data locally and remotely
347 objectSid: S-1-5-32-558
348 sAMAccountName: Performance Monitor Users
349 systemFlags: -1946157056
350 groupType: -2147483643
351 isCriticalSystemObject: TRUE
353 dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
356 description: Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer
357 objectSid: S-1-5-32-559
358 sAMAccountName: Performance Log Users
359 systemFlags: -1946157056
360 groupType: -2147483643
361 isCriticalSystemObject: TRUE
363 dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
366 description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
367 member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
368 objectSid: S-1-5-32-560
369 sAMAccountName: Windows Authorization Access Group
370 systemFlags: -1946157056
371 groupType: -2147483643
372 isCriticalSystemObject: TRUE
374 dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
377 description: Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage
378 objectSid: S-1-5-32-561
379 sAMAccountName: Terminal Server License Servers
380 systemFlags: -1946157056
381 groupType: -2147483643
382 isCriticalSystemObject: TRUE
384 dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
387 description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
388 objectSid: S-1-5-32-562
389 sAMAccountName: Distributed COM Users
390 systemFlags: -1946157056
391 groupType: -2147483643
392 isCriticalSystemObject: TRUE
394 dn: CN=IIS_IUSRS,CN=Builtin,${DOMAINDN}
397 description: Built-in group used by Internet Information Services.
398 member: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
399 objectSid: S-1-5-32-568
400 sAMAccountName: IIS_IUSRS
401 systemFlags: -1946157056
402 groupType: -2147483643
403 isCriticalSystemObject: TRUE
405 dn: CN=Cryptographic Operators,CN=Builtin,${DOMAINDN}
408 description: Members are authorized to perform cryptographic operations.
409 objectSid: S-1-5-32-569
410 sAMAccountName: Cryptographic Operators
411 systemFlags: -1946157056
412 groupType: -2147483643
413 isCriticalSystemObject: TRUE
415 dn: CN=Event Log Readers,CN=Builtin,${DOMAINDN}
418 description: Members of this group can read event logs from local machine
419 objectSid: S-1-5-32-573
420 sAMAccountName: Event Log Readers
421 systemFlags: -1946157056
422 groupType: -2147483643
423 isCriticalSystemObject: TRUE
425 dn: CN=Certificate Service DCOM Access,CN=Builtin,${DOMAINDN}
428 description: Members of this group are allowed to connect to Certification Authorities in the enterprise
429 objectSid: S-1-5-32-574
430 sAMAccountName: Certificate Service DCOM Access
431 systemFlags: -1946157056
432 groupType: -2147483643
433 isCriticalSystemObject: TRUE