dn: CN=Administrator,CN=Users,${DOMAINDN}
objectClass: user
description: Built-in account for administering the computer/domain
-userAccountControl: 66048
+userAccountControl: 512
objectSid: ${DOMAINSID}-500
adminCount: 1
accountExpires: 9223372036854775807
sAMAccountName: Administrator
-userPassword:: ${ADMINPASS_B64}
+clearTextPassword:: ${ADMINPASS_B64}
isCriticalSystemObject: TRUE
dn: CN=Guest,CN=Users,${DOMAINDN}
accountExpires: 9223372036854775807
sAMAccountName: krbtgt
servicePrincipalName: kadmin/changepw
-userPassword:: ${KRBTGTPASS_B64}
+clearTextPassword:: ${KRBTGTPASS_B64}
isCriticalSystemObject: TRUE
# Add other groups
-dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+dn: CN=Enterprise Read-only Domain Controllers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group are Read-Only Domain Controllers in the enterprise
objectSid: ${DOMAINSID}-498
-sAMAccountName: Enterprise Read-Only Domain Controllers
+sAMAccountName: Enterprise Read-only Domain Controllers
groupType: -2147483640
isCriticalSystemObject: TRUE
dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members of this group are permitted to publish certificates to the Active Directory
+description: Members of this group are permitted to publish certificates to the directory
objectSid: ${DOMAINSID}-517
sAMAccountName: Cert Publishers
groupType: -2147483644
sAMAccountName: Group Policy Creator Owners
isCriticalSystemObject: TRUE
-dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+dn: CN=Read-only Domain Controllers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group are Read-Only Domain Controllers in the domain
objectSid: ${DOMAINSID}-521
adminCount: 1
-sAMAccountName: Read-Only Domain Controllers
+sAMAccountName: Read-only Domain Controllers
isCriticalSystemObject: TRUE
dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
dn: CN=Allowed RODC Password Replication Group,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
+description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain
objectSid: ${DOMAINSID}-571
sAMAccountName: Allowed RODC Password Replication Group
groupType: -2147483644
dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain.
-member: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
+member: CN=Read-only Domain Controllers,CN=Users,${DOMAINDN}
member: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
member: CN=Domain Admins,CN=Users,${DOMAINDN}
member: CN=Cert Publishers,CN=Users,${DOMAINDN}
groupType: -2147483644
isCriticalSystemObject: TRUE
+# NOTICE: Some other users and groups which rely on automatic SIDs are located
+# in "provision_self_join_modify.ldif"
+
# Add foreign security principals
dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: foreignSecurityPrincipal
objectSid: S-1-5-17
-dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-20
-
# Add builtin objects
dn: CN=Administrators,CN=Builtin,${DOMAINDN}
dn: CN=Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
+description: Users are prevented from making accidental or intentional system-wide changes and can run most applications
member: CN=Domain Users,CN=Users,${DOMAINDN}
member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members of this group have remote access to monitor this computer
+description: Members of this group can access performance counter data locally and remotely
objectSid: S-1-5-32-558
sAMAccountName: Performance Monitor Users
systemFlags: -1946157056
dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members of this group have remote access to schedule logging of performance counters on this computer
-member: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
+description: Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer
objectSid: S-1-5-32-559
sAMAccountName: Performance Log Users
systemFlags: -1946157056
dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: Terminal Server License Servers
+description: Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage
objectSid: S-1-5-32-561
sAMAccountName: Terminal Server License Servers
systemFlags: -1946157056
dn: CN=IIS_IUSRS,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: Integrated group used by the IIS
+description: Built-in group used by Internet Information Services.
member: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-568
sAMAccountName: IIS_IUSRS
dn: CN=Event Log Readers,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members of this group can read event logs from local machine.
+description: Members of this group can read event logs from local machine
objectSid: S-1-5-32-573
sAMAccountName: Event Log Readers
systemFlags: -1946157056
dn: CN=Certificate Service DCOM Access,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members of this group are allowed to connect to Certification Authorities in the enterprise.
+description: Members of this group are allowed to connect to Certification Authorities in the enterprise
objectSid: S-1-5-32-574
sAMAccountName: Certificate Service DCOM Access
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
-# Add well known security principals
-
-dn: CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: container
-systemFlags: -2147483648
-
-dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-7
-
-dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-11
-
-dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-3
-
-dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-3-1
-
-dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-3-0
-
-dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-1
-
-dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-64-21
-
-dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-9
-
-dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-1-0
-
-dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-4
-
-dn: CN=IUSR,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-17
-
-dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-19
-
-dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-2
-
-dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-20
-
-dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-64-10
-
-dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-1000
-
-dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-8
-
-dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-14
-
-dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-12
-
-dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-64-14
-
-dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-10
-
-dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-6
-
-dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-13
-
-dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-15
-
-dn: CN=Well-Known-Security-Id-System,CN=WellKnown Security Principals,${CONFIGDN}
-objectClass: top
-objectClass: foreignSecurityPrincipal
-objectSid: S-1-5-18