From: Andrew Tridgell Date: Sun, 10 Jan 2010 23:08:30 +0000 (+1100) Subject: Revert "s4:provision_users.ldif - Import all essential groups for Windows Server... X-Git-Tag: samba-4.0.0alpha11~3 X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=73422e7dd866f9c65e1ba5cd42fd027b5acf3a40;ds=sidebyside Revert "s4:provision_users.ldif - Import all essential groups for Windows Server 2008 mode" This reverts commit 5c174c68ccba7506147feab1d09ad676792139b3. This series of commits broke 'make test'. Matthias, please make sure you run a _full_ make test before every push. --- diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif index 58b7d159d84..c27249d2c51 100644 --- a/source4/setup/provision_users.ldif +++ b/source4/setup/provision_users.ldif @@ -75,54 +75,43 @@ isCriticalSystemObject: TRUE # Add other groups -dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN} +dn: CN=Enterprise Admins,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Members of this group are Read-Only Domain Controllers in the enterprise -objectSid: ${DOMAINSID}-498 -sAMAccountName: Enterprise Read-Only Domain Controllers -groupType: -2147483640 +description: Designated administrators of the enterprise +member: CN=Administrator,CN=Users,${DOMAINDN} +objectSid: ${DOMAINSID}-519 +adminCount: 1 +sAMAccountName: Enterprise Admins isCriticalSystemObject: TRUE -dn: CN=Domain Admins,CN=Users,${DOMAINDN} +dn: CN=Schema Admins,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Designated administrators of the domain +description: Designated administrators of the schema member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-512 +objectSid: ${DOMAINSID}-518 adminCount: 1 -sAMAccountName: Domain Admins +sAMAccountName: Schema Admins isCriticalSystemObject: TRUE dn: CN=Cert Publishers,CN=Users,${DOMAINDN} objectClass: top objectClass: group description: Members of this group are permitted to publish certificates to the Active Directory +groupType: -2147483644 objectSid: ${DOMAINSID}-517 sAMAccountName: Cert Publishers -groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=Schema Admins,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -description: Designated administrators of the schema -member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-518 -adminCount: 1 -sAMAccountName: Schema Admins -groupType: -2147483640 -isCriticalSystemObject: TRUE - -dn: CN=Enterprise Admins,CN=Users,${DOMAINDN} +dn: CN=Domain Admins,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Designated administrators of the enterprise +description: Designated administrators of the domain member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-519 +objectSid: ${DOMAINSID}-512 adminCount: 1 -sAMAccountName: Enterprise Admins -groupType: -2147483640 +sAMAccountName: Domain Admins isCriticalSystemObject: TRUE dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN} @@ -134,39 +123,57 @@ objectSid: ${DOMAINSID}-520 sAMAccountName: Group Policy Creator Owners isCriticalSystemObject: TRUE +dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +description: Servers in this group can access remote access properties of users +objectSid: ${DOMAINSID}-553 +sAMAccountName: RAS and IAS Servers +groupType: -2147483644 +isCriticalSystemObject: TRUE + dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Members of this group are Read-Only Domain Controllers in the domain +description: Read-only domain controllers objectSid: ${DOMAINSID}-521 -adminCount: 1 sAMAccountName: Read-Only Domain Controllers +groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN} +dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Servers in this group can access remote access properties of users -objectSid: ${DOMAINSID}-553 -sAMAccountName: RAS and IAS Servers +description: Enterprise read-only domain controllers +objectSid: ${DOMAINSID}-498 +sAMAccountName: Enterprise Read-Only Domain Controllers groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=Allowed RODC Password Replication Group,CN=Users,${DOMAINDN} +dn: CN=Certificate Service DCOM Access,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain. -objectSid: ${DOMAINSID}-571 -sAMAccountName: Allowed RODC Password Replication Group +description: Certificate Service DCOM Access +objectSid: ${DOMAINSID}-574 +sAMAccountName: Certificate Service DCOM Access groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN} +dn: CN=Cryptographic Operators,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain. -objectSid: ${DOMAINSID}-572 -sAMAccountName: Denied RODC Password Replication Group +description: Cryptographic Operators +objectSid: ${DOMAINSID}-569 +sAMAccountName: Cryptographic Operators +groupType: -2147483644 +isCriticalSystemObject: TRUE + +dn: CN=Event Log Readers,CN=Users,${DOMAINDN} +objectClass: top +objectClass: group +description: Event Log Readers +objectSid: ${DOMAINSID}-573 +sAMAccountName: Event Log Readers groupType: -2147483644 isCriticalSystemObject: TRUE @@ -187,11 +194,6 @@ objectClass: top objectClass: foreignSecurityPrincipal objectSid: S-1-5-11 -dn: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN} -objectClass: top -objectClass: foreignSecurityPrincipal -objectSid: S-1-5-17 - dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN} objectClass: top objectClass: foreignSecurityPrincipal @@ -238,28 +240,6 @@ systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Account Operators,CN=Builtin,${DOMAINDN} -objectClass: top -objectClass: group -description: Members can administer domain user and group accounts -objectSid: S-1-5-32-548 -adminCount: 1 -sAMAccountName: Account Operators -systemFlags: -1946157056 -groupType: -2147483643 -isCriticalSystemObject: TRUE - -dn: CN=Server Operators,CN=Builtin,${DOMAINDN} -objectClass: top -objectClass: group -description: Members can administer domain servers -objectSid: S-1-5-32-549 -adminCount: 1 -sAMAccountName: Server Operators -systemFlags: -1946157056 -groupType: -2147483643 -isCriticalSystemObject: TRUE - dn: CN=Print Operators,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group @@ -293,17 +273,6 @@ systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN} -objectClass: top -objectClass: group -description: A backward compatibility group which allows read access on all users and groups in the domain -member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN} -objectSid: S-1-5-32-554 -sAMAccountName: Pre-Windows 2000 Compatible Access -systemFlags: -1946157056 -groupType: -2147483643 -isCriticalSystemObject: TRUE - dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group @@ -324,16 +293,6 @@ systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN} -objectClass: top -objectClass: group -description: Members of this group can create incoming, one-way trusts to this forest -objectSid: S-1-5-32-557 -sAMAccountName: Incoming Forest Trust Builders -systemFlags: -1946157056 -groupType: -2147483643 -isCriticalSystemObject: TRUE - dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group @@ -355,63 +314,76 @@ systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN} +dn: CN=Server Operators,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects -member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN} -objectSid: S-1-5-32-560 -sAMAccountName: Windows Authorization Access Group +description: Members can administer domain servers +objectSid: S-1-5-32-549 +adminCount: 1 +sAMAccountName: Server Operators systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN} +dn: CN=Account Operators,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Terminal Server License Servers -objectSid: S-1-5-32-561 -sAMAccountName: Terminal Server License Servers +description: Members can administer domain user and group accounts +objectSid: S-1-5-32-548 +adminCount: 1 +sAMAccountName: Account Operators systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN} +dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members are allowed to launch, activate and use Distributed COM objects on this machine. -objectSid: S-1-5-32-562 -sAMAccountName: Distributed COM Users +description: A backward compatibility group which allows read access on all users and groups in the domain +member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN} +objectSid: S-1-5-32-554 +sAMAccountName: Pre-Windows 2000 Compatible Access systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Cryptographic Operators,CN=Builtin,${DOMAINDN} +dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members are authorized to perform cryptographic operations. -objectSid: S-1-5-32-569 -sAMAccountName: Cryptographic Operators +description: Members of this group can create incoming, one-way trusts to this forest +objectSid: S-1-5-32-557 +sAMAccountName: Incoming Forest Trust Builders +systemFlags: -1946157056 +groupType: -2147483643 +isCriticalSystemObject: TRUE + +dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects +member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN} +objectSid: S-1-5-32-560 +sAMAccountName: Windows Authorization Access Group systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Event Log Readers,CN=Builtin,${DOMAINDN} +dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members of this group can read event logs from local machine. -objectSid: S-1-5-32-573 -sAMAccountName: Event Log Readers +description: Terminal Server License Servers +objectSid: S-1-5-32-561 +sAMAccountName: Terminal Server License Servers systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Certificate Service DCOM Access,CN=Builtin,${DOMAINDN} +dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members of this group are allowed to connect to Certification Authorities in the enterprise. -objectSid: S-1-5-32-574 -sAMAccountName: Certificate Service DCOM Access +description: Members are allowed to launch, activate and use Distributed COM objects on this machine. +objectSid: S-1-5-32-562 +sAMAccountName: Distributed COM Users systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE