-dn: CN=Administrator,CN=Users,${BASEDN}
+# Add default primary groups (domain users, domain guests, domain computers &
+# domain controllers) - needed for the users to find valid primary groups
+# (samldb module)
+
+dn: CN=Domain Users,CN=Users,${DOMAINDN}
objectClass: top
-objectClass: person
-objectClass: organizationalPerson
+objectClass: group
+description: All domain users
+objectSid: ${DOMAINSID}-513
+sAMAccountName: Domain Users
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Guests,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: All domain guests
+objectSid: ${DOMAINSID}-514
+sAMAccountName: Domain Guests
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Computers,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: All workstations and servers joined to the domain
+objectSid: ${DOMAINSID}-515
+sAMAccountName: Domain Computers
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Controllers,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: All domain controllers in the domain
+objectSid: ${DOMAINSID}-516
+adminCount: 1
+sAMAccountName: Domain Controllers
+isCriticalSystemObject: TRUE
+
+# Add users
+
+dn: CN=Administrator,CN=Users,${DOMAINDN}
objectClass: user
-cn: Administrator
description: Built-in account for administering the computer/domain
-uSNCreated: 1
-memberOf: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
-memberOf: CN=Domain Admins,CN=Users,${BASEDN}
-memberOf: CN=Enterprise Admins,CN=Users,${BASEDN}
-memberOf: CN=Schema Admins,CN=Users,${BASEDN}
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-userAccountControl: 0x10200
+userAccountControl: 66048
objectSid: ${DOMAINSID}-500
adminCount: 1
-accountExpires: -1
+accountExpires: 9223372036854775807
sAMAccountName: Administrator
+userPassword:: ${ADMINPASS_B64}
isCriticalSystemObject: TRUE
-unicodePwd: ${ADMINPASS}
-unixName: ${ROOT}
-dn: CN=Guest,CN=Users,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
+dn: CN=Guest,CN=Users,${DOMAINDN}
objectClass: user
-cn: Guest
description: Built-in account for guest access to the computer/domain
-uSNCreated: 1
-memberOf: CN=Guests,CN=Builtin,${BASEDN}
-uSNChanged: 1
-userAccountControl: 0x10222
+userAccountControl: 66082
primaryGroupID: 514
objectSid: ${DOMAINSID}-501
sAMAccountName: Guest
isCriticalSystemObject: TRUE
-dn: CN=Administrators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Administrators
-description: Administrators have complete and unrestricted access to the computer/domain
-member: CN=Domain Admins,CN=Users,${BASEDN}
-member: CN=Enterprise Admins,CN=Users,${BASEDN}
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-544
-adminCount: 1
-sAMAccountName: Administrators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-privilege: SeSecurityPrivilege
-privilege: SeBackupPrivilege
-privilege: SeRestorePrivilege
-privilege: SeSystemtimePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeRemoteShutdownPrivilege
-privilege: SeTakeOwnershipPrivilege
-privilege: SeDebugPrivilege
-privilege: SeSystemEnvironmentPrivilege
-privilege: SeSystemProfilePrivilege
-privilege: SeProfileSingleProcessPrivilege
-privilege: SeIncreaseBasePriorityPrivilege
-privilege: SeLoadDriverPrivilege
-privilege: SeCreatePagefilePrivilege
-privilege: SeIncreaseQuotaPrivilege
-privilege: SeChangeNotifyPrivilege
-privilege: SeUndockPrivilege
-privilege: SeManageVolumePrivilege
-privilege: SeImpersonatePrivilege
-privilege: SeCreateGlobalPrivilege
-privilege: SeEnableDelegationPrivilege
-privilege: SeInteractiveLogonRight
-privilege: SeNetworkLogonRight
-privilege: SeRemoteInteractiveLogonRight
-
-
-dn: CN=${NETBIOSNAME},OU=Domain Controllers,${BASEDN}
+dn: CN=krbtgt,CN=Users,${DOMAINDN}
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
-objectClass: computer
-cn: ${NETBIOSNAME}
-uSNCreated: 1
-uSNChanged: 1
-objectGUID: ${HOSTGUID}
-userAccountControl: 532480
-lastLogon: 127273269057298624
-localPolicyFlags: 0
-pwdLastSet: 127258826171655328
-primaryGroupID: 516
-objectSid: ${DOMAINSID}-1000
+description: Key Distribution Center Service Account
+showInAdvancedViewOnly: TRUE
+userAccountControl: 514
+objectSid: ${DOMAINSID}-502
+adminCount: 1
accountExpires: 9223372036854775807
-sAMAccountName: ${NETBIOSNAME}$
-sAMAccountType: 805306369
-operatingSystem: Samba
-operatingSystemVersion: 4.0
-dNSHostName: ${DNSNAME}
+sAMAccountName: krbtgt
+servicePrincipalName: kadmin/changepw
+userPassword:: ${KRBTGTPASS_B64}
isCriticalSystemObject: TRUE
-unicodePwd: ${MACHINEPASS}
-servicePrincipalName: HOST/${DNSNAME}
-servicePrincipalName: HOST/${NETBIOSNAME}
-msDS-KeyVersionNumber: 1
+# Add other groups
+
+dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members of this group are Read-Only Domain Controllers in the enterprise
+objectSid: ${DOMAINSID}-498
+sAMAccountName: Enterprise Read-Only Domain Controllers
+groupType: -2147483640
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Admins,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Designated administrators of the domain
+member: CN=Administrator,CN=Users,${DOMAINDN}
+objectSid: ${DOMAINSID}-512
+adminCount: 1
+sAMAccountName: Domain Admins
+isCriticalSystemObject: TRUE
+
+dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members of this group are permitted to publish certificates to the Active Directory
+objectSid: ${DOMAINSID}-517
+sAMAccountName: Cert Publishers
+groupType: -2147483644
+isCriticalSystemObject: TRUE
+
+dn: CN=Schema Admins,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Designated administrators of the schema
+member: CN=Administrator,CN=Users,${DOMAINDN}
+objectSid: ${DOMAINSID}-518
+adminCount: 1
+sAMAccountName: Schema Admins
+groupType: -2147483640
+isCriticalSystemObject: TRUE
+
+dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Designated administrators of the enterprise
+member: CN=Administrator,CN=Users,${DOMAINDN}
+objectSid: ${DOMAINSID}-519
+adminCount: 1
+sAMAccountName: Enterprise Admins
+groupType: -2147483640
+isCriticalSystemObject: TRUE
+
+dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members in this group can modify group policy for the domain
+member: CN=Administrator,CN=Users,${DOMAINDN}
+objectSid: ${DOMAINSID}-520
+sAMAccountName: Group Policy Creator Owners
+isCriticalSystemObject: TRUE
+
+dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members of this group are Read-Only Domain Controllers in the domain
+objectSid: ${DOMAINSID}-521
+adminCount: 1
+sAMAccountName: Read-Only Domain Controllers
+isCriticalSystemObject: TRUE
+
+dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Servers in this group can access remote access properties of users
+objectSid: ${DOMAINSID}-553
+sAMAccountName: RAS and IAS Servers
+groupType: -2147483644
+isCriticalSystemObject: TRUE
+
+dn: CN=Allowed RODC Password Replication Group,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
+objectSid: ${DOMAINSID}-571
+sAMAccountName: Allowed RODC Password Replication Group
+groupType: -2147483644
+isCriticalSystemObject: TRUE
+
+dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain.
+member: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+member: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
+member: CN=Domain Admins,CN=Users,${DOMAINDN}
+member: CN=Cert Publishers,CN=Users,${DOMAINDN}
+member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
+member: CN=Schema Admins,CN=Users,${DOMAINDN}
+member: CN=Domain Controllers,CN=Users,${DOMAINDN}
+member: CN=krbtgt,CN=Users,${DOMAINDN}
+objectSid: ${DOMAINSID}-572
+sAMAccountName: Denied RODC Password Replication Group
+groupType: -2147483644
+isCriticalSystemObject: TRUE
+
+# Add foreign security principals
+
+dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-4
+
+dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-9
+
+dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-11
+
+dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-20
+
+# Add builtin objects
+
+dn: CN=Administrators,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Administrators have complete and unrestricted access to the computer/domain
+member: CN=Domain Admins,CN=Users,${DOMAINDN}
+member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
+member: CN=Administrator,CN=Users,${DOMAINDN}
+objectSid: S-1-5-32-544
+adminCount: 1
+sAMAccountName: Administrators
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
-dn: CN=Users,CN=Builtin,${BASEDN}
+dn: CN=Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Users
description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
-member: CN=Domain Users,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
+member: CN=Domain Users,CN=Users,${DOMAINDN}
+member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
+member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-545
sAMAccountName: Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Guests,CN=Builtin,${BASEDN}
+dn: CN=Guests,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Guests
description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
-member: CN=Domain Guests,CN=Users,${BASEDN}
-member: CN=Guest,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
+member: CN=Domain Guests,CN=Users,${DOMAINDN}
+member: CN=Guest,CN=Users,${DOMAINDN}
objectSid: S-1-5-32-546
sAMAccountName: Guests
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-unixName: ${NOGROUP}
-dn: CN=Print Operators,CN=Builtin,${BASEDN}
+dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members can administer domain user and group accounts
+objectSid: S-1-5-32-548
+adminCount: 1
+sAMAccountName: Account Operators
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
+
+dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members can administer domain servers
+objectSid: S-1-5-32-549
+adminCount: 1
+sAMAccountName: Server Operators
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
+
+dn: CN=Print Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Print Operators
description: Members can administer domain printers
-uSNCreated: 1
-uSNChanged: 1
objectSid: S-1-5-32-550
adminCount: 1
sAMAccountName: Print Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-privilege: SeLoadDriverPrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-dn: CN=Backup Operators,CN=Builtin,${BASEDN}
+dn: CN=Backup Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Backup Operators
description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
-uSNCreated: 1
-uSNChanged: 1
objectSid: S-1-5-32-551
adminCount: 1
sAMAccountName: Backup Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-privilege: SeBackupPrivilege
-privilege: SeRestorePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-dn: CN=Replicator,CN=Builtin,${BASEDN}
+dn: CN=Replicator,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Replicator
description: Supports file replication in a domain
-uSNCreated: 1
-uSNChanged: 1
objectSid: S-1-5-32-552
adminCount: 1
sAMAccountName: Replicator
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Remote Desktop Users,CN=Builtin,${BASEDN}
+dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: A backward compatibility group which allows read access on all users and groups in the domain
+member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectSid: S-1-5-32-554
+sAMAccountName: Pre-Windows 2000 Compatible Access
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
+
+dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Remote Desktop Users
description: Members in this group are granted the right to logon remotely
-uSNCreated: 1
-uSNChanged: 1
objectSid: S-1-5-32-555
sAMAccountName: Remote Desktop Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Network Configuration Operators,CN=Builtin,${BASEDN}
+dn: CN=Network Configuration Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Network Configuration Operators
description: Members in this group can have some administrative privileges to manage configuration of networking features
-uSNCreated: 1
-uSNChanged: 1
objectSid: S-1-5-32-556
sAMAccountName: Network Configuration Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
+
+dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members of this group can create incoming, one-way trusts to this forest
+objectSid: S-1-5-32-557
+sAMAccountName: Incoming Forest Trust Builders
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Performance Monitor Users,CN=Builtin,${BASEDN}
+dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Performance Monitor Users
description: Members of this group have remote access to monitor this computer
-uSNCreated: 1
-uSNChanged: 1
objectSid: S-1-5-32-558
sAMAccountName: Performance Monitor Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Performance Log Users,CN=Builtin,${BASEDN}
+dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Performance Log Users
description: Members of this group have remote access to schedule logging of performance counters on this computer
-uSNCreated: 1
-uSNChanged: 1
+member: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-559
sAMAccountName: Performance Log Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=krbtgt,CN=Users,${BASEDN}
+dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: krbtgt
-description: Key Distribution Center Service Account
-uSNCreated: 1
-uSNChanged: 1
-showInAdvancedViewOnly: TRUE
-userAccountControl: 514
-pwdLastSet: 127258826179466560
-objectSid: ${DOMAINSID}-502
-adminCount: 1
-accountExpires: 9223372036854775807
-sAMAccountName: krbtgt
-sAMAccountType: 805306368
-servicePrincipalName: kadmin/changepw
+objectClass: group
+description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
+member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectSid: S-1-5-32-560
+sAMAccountName: Windows Authorization Access Group
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-unicodePwd: ${KRBTGTPASS}
-dn: CN=Domain Computers,CN=Users,${BASEDN}
+dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Domain Computers
-description: All workstations and servers joined to the domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-515
-sAMAccountName: Domain Computers
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+description: Terminal Server License Servers
+objectSid: S-1-5-32-561
+sAMAccountName: Terminal Server License Servers
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Domain Controllers,CN=Users,${BASEDN}
+dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Domain Controllers
-description: All domain controllers in the domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-516
-adminCount: 1
-sAMAccountName: Domain Controllers
+description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
+objectSid: S-1-5-32-562
+sAMAccountName: Distributed COM Users
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Schema Admins,CN=Users,${BASEDN}
+dn: CN=Cryptographic Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Schema Admins
-description: Designated administrators of the schema
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-518
-adminCount: 1
-sAMAccountName: Schema Admins
+description: Members are authorized to perform cryptographic operations.
+objectSid: S-1-5-32-569
+sAMAccountName: Cryptographic Operators
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-dn: CN=Enterprise Admins,CN=Users,${BASEDN}
+dn: CN=Event Log Readers,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Enterprise Admins
-description: Designated administrators of the enterprise
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-519
-adminCount: 1
-sAMAccountName: Enterprise Admins
+description: Members of this group can read event logs from local machine.
+objectSid: S-1-5-32-573
+sAMAccountName: Event Log Readers
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-dn: CN=Cert Publishers,CN=Users,${BASEDN}
+dn: CN=Certificate Service DCOM Access,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
-cn: Cert Publishers
-description: Members of this group are permitted to publish certificates to the Active Directory
-uSNCreated: 1
-uSNChanged: 1
-groupType: 0x80000004
-sAMAccountType: 0x20000000
-objectSid: ${DOMAINSID}-517
-sAMAccountName: Cert Publishers
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+description: Members of this group are allowed to connect to Certification Authorities in the enterprise.
+objectSid: S-1-5-32-574
+sAMAccountName: Certificate Service DCOM Access
+systemFlags: -1946157056
+groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Domain Admins,CN=Users,${BASEDN}
+# Add well known security principals
+
+dn: CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
-objectClass: group
-cn: Domain Admins
-description: Designated administrators of the domain
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-512
-adminCount: 1
-sAMAccountName: Domain Admins
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
+objectClass: container
+systemFlags: -2147483648
-dn: CN=Domain Users,CN=Users,${BASEDN}
+dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
-objectClass: group
-cn: Domain Users
-description: All domain users
-uSNCreated: 1
-memberOf: CN=Users,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-513
-sAMAccountName: Domain Users
-isCriticalSystemObject: TRUE
-unixName: ${USERS}
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-7
-dn: CN=Domain Guests,CN=Users,${BASEDN}
+dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
-objectClass: group
-cn: Domain Guests
-description: All domain guests
-uSNCreated: 1
-memberOf: CN=Guests,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-514
-sAMAccountName: Domain Guests
-isCriticalSystemObject: TRUE
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-11
-dn: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
+dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
-objectClass: group
-cn: Group Policy Creator Owners
-description: Members in this group can modify group policy for the domain
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-520
-sAMAccountName: Group Policy Creator Owners
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-3
-dn: CN=RAS and IAS Servers,CN=Users,${BASEDN}
+dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
-objectClass: group
-cn: RAS and IAS Servers
-description: Servers in this group can access remote access properties of users
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-553
-sAMAccountName: RAS and IAS Servers
-sAMAccountType: 0x20000000
-groupType: 0x80000004
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-3-1
-dn: CN=Server Operators,CN=Builtin,${BASEDN}
+dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
-objectClass: group
-cn: Server Operators
-description: Members can administer domain servers
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-549
-adminCount: 1
-sAMAccountName: Server Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeBackupPrivilege
-privilege: SeSystemtimePrivilege
-privilege: SeRemoteShutdownPrivilege
-privilege: SeRestorePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-3-0
-dn: CN=Account Operators,CN=Builtin,${BASEDN}
+dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
-objectClass: group
-cn: Account Operators
-description: Members can administer domain user and group accounts
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-548
-adminCount: 1
-sAMAccountName: Account Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeInteractiveLogonRight
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-1
+
+dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-64-21
+
+dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-9
+
+dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-1-0
+
+dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-4
+
+dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-19
+
+dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-2
+
+dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-20
+
+dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-64-10
+
+dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-1000
+
+dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-8
+
+dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-14
+
+dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-12
+
+dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-64-14
+
+dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-10
+
+dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-6
+
+dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-13
+
+dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-15
+dn: CN=Well-Known-Security-Id-System,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-18
git.samba.org / ira / wip.git / blobdiff