1 # Add default primary groups (domain users, domain guests) - needed for
2 # the users to find valid primary groups (samldb module)
4 dn: CN=Domain Users,CN=Users,${DOMAINDN}
7 description: All domain users
8 objectSid: ${DOMAINSID}-513
9 sAMAccountName: Domain Users
10 isCriticalSystemObject: TRUE
12 dn: CN=Domain Guests,CN=Users,${DOMAINDN}
15 description: All domain guests
16 objectSid: ${DOMAINSID}-514
17 sAMAccountName: Domain Guests
18 isCriticalSystemObject: TRUE
22 dn: CN=Administrator,CN=Users,${DOMAINDN}
24 description: Built-in account for administering the computer/domain
25 userAccountControl: 66048
26 objectSid: ${DOMAINSID}-500
28 accountExpires: 9223372036854775807
29 sAMAccountName: Administrator
30 userPassword:: ${ADMINPASS_B64}
31 isCriticalSystemObject: TRUE
33 dn: CN=Guest,CN=Users,${DOMAINDN}
35 description: Built-in account for guest access to the computer/domain
36 userAccountControl: 66082
38 objectSid: ${DOMAINSID}-501
40 isCriticalSystemObject: TRUE
42 dn: CN=krbtgt,CN=Users,${DOMAINDN}
45 objectClass: organizationalPerson
47 description: Key Distribution Center Service Account
48 showInAdvancedViewOnly: TRUE
49 userAccountControl: 514
50 objectSid: ${DOMAINSID}-502
52 accountExpires: 9223372036854775807
53 sAMAccountName: krbtgt
54 servicePrincipalName: kadmin/changepw
55 userPassword:: ${KRBTGTPASS_B64}
56 isCriticalSystemObject: TRUE
60 dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
63 description: Designated administrators of the enterprise
64 member: CN=Administrator,CN=Users,${DOMAINDN}
65 objectSid: ${DOMAINSID}-519
67 sAMAccountName: Enterprise Admins
68 isCriticalSystemObject: TRUE
70 dn: CN=Domain Computers,CN=Users,${DOMAINDN}
73 description: All workstations and servers joined to the domain
74 objectSid: ${DOMAINSID}-515
75 sAMAccountName: Domain Computers
76 isCriticalSystemObject: TRUE
78 dn: CN=Domain Controllers,CN=Users,${DOMAINDN}
81 description: All domain controllers in the domain
82 objectSid: ${DOMAINSID}-516
84 sAMAccountName: Domain Controllers
85 isCriticalSystemObject: TRUE
87 dn: CN=Schema Admins,CN=Users,${DOMAINDN}
90 description: Designated administrators of the schema
91 member: CN=Administrator,CN=Users,${DOMAINDN}
92 objectSid: ${DOMAINSID}-518
94 sAMAccountName: Schema Admins
95 isCriticalSystemObject: TRUE
97 dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
100 description: Members of this group are permitted to publish certificates to the Active Directory
101 groupType: -2147483644
102 objectSid: ${DOMAINSID}-517
103 sAMAccountName: Cert Publishers
104 isCriticalSystemObject: TRUE
106 dn: CN=Domain Admins,CN=Users,${DOMAINDN}
109 description: Designated administrators of the domain
110 member: CN=Administrator,CN=Users,${DOMAINDN}
111 objectSid: ${DOMAINSID}-512
113 sAMAccountName: Domain Admins
114 isCriticalSystemObject: TRUE
116 dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
119 description: Members in this group can modify group policy for the domain
120 member: CN=Administrator,CN=Users,${DOMAINDN}
121 objectSid: ${DOMAINSID}-520
122 sAMAccountName: Group Policy Creator Owners
123 isCriticalSystemObject: TRUE
125 dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
128 description: Servers in this group can access remote access properties of users
129 objectSid: ${DOMAINSID}-553
130 sAMAccountName: RAS and IAS Servers
131 groupType: -2147483644
132 isCriticalSystemObject: TRUE
134 dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
137 description: read-only domain controllers
138 objectSid: ${DOMAINSID}-521
139 sAMAccountName: Read-Only Domain Controllers
140 groupType: -2147483644
141 isCriticalSystemObject: TRUE
143 dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN}
146 description: enterprise read-only domain controllers
147 objectSid: ${DOMAINSID}-498
148 sAMAccountName: Enterprise Read-Only Domain Controllers
149 groupType: -2147483644
150 isCriticalSystemObject: TRUE
152 dn: CN=Certificate Service DCOM Access,CN=Users,${DOMAINDN}
155 description: Certificate Service DCOM Access
156 objectSid: ${DOMAINSID}-574
157 sAMAccountName: Certificate Service DCOM Access
158 groupType: -2147483644
159 isCriticalSystemObject: TRUE
161 dn: CN=Cryptographic Operators,CN=Users,${DOMAINDN}
164 description: Cryptographic Operators
165 objectSid: ${DOMAINSID}-569
166 sAMAccountName: Cryptographic Operators
167 groupType: -2147483644
168 isCriticalSystemObject: TRUE
170 dn: CN=Event Log Readers,CN=Users,${DOMAINDN}
173 description: Event Log Readers
174 objectSid: ${DOMAINSID}-573
175 sAMAccountName: Event Log Readers
176 groupType: -2147483644
177 isCriticalSystemObject: TRUE
179 # Add foreign security principals
181 dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
183 objectClass: foreignSecurityPrincipal
186 dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
188 objectClass: foreignSecurityPrincipal
191 dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
193 objectClass: foreignSecurityPrincipal
196 dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
198 objectClass: foreignSecurityPrincipal
201 # Add builtin objects
203 dn: CN=Administrators,CN=Builtin,${DOMAINDN}
206 description: Administrators have complete and unrestricted access to the computer/domain
207 member: CN=Domain Admins,CN=Users,${DOMAINDN}
208 member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
209 member: CN=Administrator,CN=Users,${DOMAINDN}
210 objectSid: S-1-5-32-544
212 sAMAccountName: Administrators
213 systemFlags: -1946157056
214 groupType: -2147483643
215 privilege: SeSecurityPrivilege
216 privilege: SeBackupPrivilege
217 privilege: SeRestorePrivilege
218 privilege: SeSystemtimePrivilege
219 privilege: SeShutdownPrivilege
220 privilege: SeRemoteShutdownPrivilege
221 privilege: SeTakeOwnershipPrivilege
222 privilege: SeDebugPrivilege
223 privilege: SeSystemEnvironmentPrivilege
224 privilege: SeSystemProfilePrivilege
225 privilege: SeProfileSingleProcessPrivilege
226 privilege: SeIncreaseBasePriorityPrivilege
227 privilege: SeLoadDriverPrivilege
228 privilege: SeCreatePagefilePrivilege
229 privilege: SeIncreaseQuotaPrivilege
230 privilege: SeChangeNotifyPrivilege
231 privilege: SeUndockPrivilege
232 privilege: SeManageVolumePrivilege
233 privilege: SeImpersonatePrivilege
234 privilege: SeCreateGlobalPrivilege
235 privilege: SeEnableDelegationPrivilege
236 privilege: SeInteractiveLogonRight
237 privilege: SeNetworkLogonRight
238 privilege: SeRemoteInteractiveLogonRight
239 isCriticalSystemObject: TRUE
241 dn: CN=Users,CN=Builtin,${DOMAINDN}
244 description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
245 member: CN=Domain Users,CN=Users,${DOMAINDN}
246 member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
247 member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
248 objectSid: S-1-5-32-545
249 sAMAccountName: Users
250 systemFlags: -1946157056
251 groupType: -2147483643
252 isCriticalSystemObject: TRUE
254 dn: CN=Guests,CN=Builtin,${DOMAINDN}
257 description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
258 member: CN=Domain Guests,CN=Users,${DOMAINDN}
259 member: CN=Guest,CN=Users,${DOMAINDN}
260 objectSid: S-1-5-32-546
261 sAMAccountName: Guests
262 systemFlags: -1946157056
263 groupType: -2147483643
264 isCriticalSystemObject: TRUE
266 dn: CN=Print Operators,CN=Builtin,${DOMAINDN}
269 description: Members can administer domain printers
270 objectSid: S-1-5-32-550
272 sAMAccountName: Print Operators
273 systemFlags: -1946157056
274 groupType: -2147483643
275 privilege: SeLoadDriverPrivilege
276 privilege: SeShutdownPrivilege
277 privilege: SeInteractiveLogonRight
278 isCriticalSystemObject: TRUE
280 dn: CN=Backup Operators,CN=Builtin,${DOMAINDN}
283 description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
284 objectSid: S-1-5-32-551
286 sAMAccountName: Backup Operators
287 systemFlags: -1946157056
288 groupType: -2147483643
289 privilege: SeBackupPrivilege
290 privilege: SeRestorePrivilege
291 privilege: SeShutdownPrivilege
292 privilege: SeInteractiveLogonRight
293 isCriticalSystemObject: TRUE
295 dn: CN=Replicator,CN=Builtin,${DOMAINDN}
298 description: Supports file replication in a domain
299 objectSid: S-1-5-32-552
301 sAMAccountName: Replicator
302 systemFlags: -1946157056
303 groupType: -2147483643
304 isCriticalSystemObject: TRUE
306 dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN}
309 description: Members in this group are granted the right to logon remotely
310 objectSid: S-1-5-32-555
311 sAMAccountName: Remote Desktop Users
312 systemFlags: -1946157056
313 groupType: -2147483643
314 isCriticalSystemObject: TRUE
316 dn: CN=Network Configuration Operators,CN=Builtin,${DOMAINDN}
319 description: Members in this group can have some administrative privileges to manage configuration of networking features
320 objectSid: S-1-5-32-556
321 sAMAccountName: Network Configuration Operators
322 systemFlags: -1946157056
323 groupType: -2147483643
324 isCriticalSystemObject: TRUE
326 dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
329 description: Members of this group have remote access to monitor this computer
330 objectSid: S-1-5-32-558
331 sAMAccountName: Performance Monitor Users
332 systemFlags: -1946157056
333 groupType: -2147483643
334 isCriticalSystemObject: TRUE
336 dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
339 description: Members of this group have remote access to schedule logging of performance counters on this computer
340 member: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
341 objectSid: S-1-5-32-559
342 sAMAccountName: Performance Log Users
343 systemFlags: -1946157056
344 groupType: -2147483643
345 isCriticalSystemObject: TRUE
347 dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
350 description: Members can administer domain servers
351 objectSid: S-1-5-32-549
353 sAMAccountName: Server Operators
354 systemFlags: -1946157056
355 groupType: -2147483643
356 privilege: SeBackupPrivilege
357 privilege: SeSystemtimePrivilege
358 privilege: SeRemoteShutdownPrivilege
359 privilege: SeRestorePrivilege
360 privilege: SeShutdownPrivilege
361 privilege: SeInteractiveLogonRight
362 isCriticalSystemObject: TRUE
364 dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
367 description: Members can administer domain user and group accounts
368 objectSid: S-1-5-32-548
370 sAMAccountName: Account Operators
371 systemFlags: -1946157056
372 groupType: -2147483643
373 privilege: SeInteractiveLogonRight
374 isCriticalSystemObject: TRUE
376 dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
379 description: A backward compatibility group which allows read access on all users and groups in the domain
380 member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
381 objectSid: S-1-5-32-554
382 sAMAccountName: Pre-Windows 2000 Compatible Access
383 systemFlags: -1946157056
384 groupType: -2147483643
385 privilege: SeRemoteInteractiveLogonRight
386 privilege: SeChangeNotifyPrivilege
387 isCriticalSystemObject: TRUE
389 dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
392 description: Members of this group can create incoming, one-way trusts to this forest
393 objectSid: S-1-5-32-557
394 sAMAccountName: Incoming Forest Trust Builders
395 systemFlags: -1946157056
396 groupType: -2147483643
397 isCriticalSystemObject: TRUE
399 dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
402 description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
403 member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
404 objectSid: S-1-5-32-560
405 sAMAccountName: Windows Authorization Access Group
406 systemFlags: -1946157056
407 groupType: -2147483643
408 isCriticalSystemObject: TRUE
410 dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
413 description: Terminal Server License Servers
414 objectSid: S-1-5-32-561
415 sAMAccountName: Terminal Server License Servers
416 systemFlags: -1946157056
417 groupType: -2147483643
418 isCriticalSystemObject: TRUE
420 dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
423 description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
424 objectSid: S-1-5-32-562
425 sAMAccountName: Distributed COM Users
426 systemFlags: -1946157056
427 groupType: -2147483643
428 isCriticalSystemObject: TRUE
430 # Add well known security principals
432 dn: CN=WellKnown Security Principals,${CONFIGDN}
434 objectClass: container
435 systemFlags: -2147483648
437 dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
439 objectClass: foreignSecurityPrincipal
442 dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN}
444 objectClass: foreignSecurityPrincipal
447 dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN}
449 objectClass: foreignSecurityPrincipal
452 dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN}
454 objectClass: foreignSecurityPrincipal
457 dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN}
459 objectClass: foreignSecurityPrincipal
462 dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN}
464 objectClass: foreignSecurityPrincipal
467 dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN}
469 objectClass: foreignSecurityPrincipal
470 objectSid: S-1-5-64-21
472 dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN}
474 objectClass: foreignSecurityPrincipal
477 dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN}
479 objectClass: foreignSecurityPrincipal
482 dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN}
484 objectClass: foreignSecurityPrincipal
487 dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
489 objectClass: foreignSecurityPrincipal
492 dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN}
494 objectClass: foreignSecurityPrincipal
497 dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN}
499 objectClass: foreignSecurityPrincipal
502 dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN}
504 objectClass: foreignSecurityPrincipal
505 objectSid: S-1-5-64-10
507 dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN}
509 objectClass: foreignSecurityPrincipal
510 objectSid: S-1-5-1000
512 dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN}
514 objectClass: foreignSecurityPrincipal
517 dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN}
519 objectClass: foreignSecurityPrincipal
522 dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN}
524 objectClass: foreignSecurityPrincipal
527 dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN}
529 objectClass: foreignSecurityPrincipal
530 objectSid: S-1-5-64-14
532 dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN}
534 objectClass: foreignSecurityPrincipal
537 dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN}
539 objectClass: foreignSecurityPrincipal
542 dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN}
544 objectClass: foreignSecurityPrincipal
547 dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN}
549 objectClass: foreignSecurityPrincipal
552 dn: CN=Well-Known-Security-Id-System,CN=WellKnown Security Principals,${CONFIGDN}
554 objectClass: foreignSecurityPrincipal