+# Add default primary groups (domain users, domain guests, domain computers &
+# domain controllers) - needed for the users to find valid primary groups
+# (samldb module)
+
+dn: CN=Domain Users,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: All domain users
+objectSid: ${DOMAINSID}-513
+sAMAccountName: Domain Users
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Guests,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: All domain guests
+objectSid: ${DOMAINSID}-514
+sAMAccountName: Domain Guests
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Computers,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: All workstations and servers joined to the domain
+objectSid: ${DOMAINSID}-515
+sAMAccountName: Domain Computers
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Controllers,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: All domain controllers in the domain
+objectSid: ${DOMAINSID}-516
+adminCount: 1
+sAMAccountName: Domain Controllers
+isCriticalSystemObject: TRUE
+
+# Add users
+
dn: CN=Administrator,CN=Users,${DOMAINDN}
objectClass: user
description: Built-in account for administering the computer/domain
sAMAccountName: Guest
isCriticalSystemObject: TRUE
-dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
-objectClass: top
-objectClass: group
-description: Designated administrators of the enterprise
-member: CN=Administrator,CN=Users,${DOMAINDN}
-objectSid: ${DOMAINSID}-519
-adminCount: 1
-sAMAccountName: Enterprise Admins
-isCriticalSystemObject: TRUE
-
dn: CN=krbtgt,CN=Users,${DOMAINDN}
objectClass: top
objectClass: person
userPassword:: ${KRBTGTPASS_B64}
isCriticalSystemObject: TRUE
-dn: CN=Domain Computers,CN=Users,${DOMAINDN}
-objectClass: top
-objectClass: group
-description: All workstations and servers joined to the domain
-objectSid: ${DOMAINSID}-515
-sAMAccountName: Domain Computers
-isCriticalSystemObject: TRUE
+# Add other groups
-dn: CN=Domain Controllers,CN=Users,${DOMAINDN}
+dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: All domain controllers in the domain
-objectSid: ${DOMAINSID}-516
-adminCount: 1
-sAMAccountName: Domain Controllers
+description: Members of this group are Read-Only Domain Controllers in the enterprise
+objectSid: ${DOMAINSID}-498
+sAMAccountName: Enterprise Read-Only Domain Controllers
+groupType: -2147483640
isCriticalSystemObject: TRUE
-dn: CN=Schema Admins,CN=Users,${DOMAINDN}
+dn: CN=Domain Admins,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Designated administrators of the schema
+description: Designated administrators of the domain
member: CN=Administrator,CN=Users,${DOMAINDN}
-objectSid: ${DOMAINSID}-518
+objectSid: ${DOMAINSID}-512
adminCount: 1
-sAMAccountName: Schema Admins
+sAMAccountName: Domain Admins
isCriticalSystemObject: TRUE
dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group are permitted to publish certificates to the Active Directory
-groupType: -2147483644
objectSid: ${DOMAINSID}-517
sAMAccountName: Cert Publishers
+groupType: -2147483644
isCriticalSystemObject: TRUE
-dn: CN=Domain Admins,CN=Users,${DOMAINDN}
+dn: CN=Schema Admins,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Designated administrators of the domain
+description: Designated administrators of the schema
member: CN=Administrator,CN=Users,${DOMAINDN}
-objectSid: ${DOMAINSID}-512
+objectSid: ${DOMAINSID}-518
adminCount: 1
-sAMAccountName: Domain Admins
-isCriticalSystemObject: TRUE
-
-dn: CN=Domain Users,CN=Users,${DOMAINDN}
-objectClass: top
-objectClass: group
-description: All domain users
-objectSid: ${DOMAINSID}-513
-sAMAccountName: Domain Users
+sAMAccountName: Schema Admins
+groupType: -2147483640
isCriticalSystemObject: TRUE
-dn: CN=Domain Guests,CN=Users,${DOMAINDN}
+dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: All domain guests
-objectSid: ${DOMAINSID}-514
-sAMAccountName: Domain Guests
+description: Designated administrators of the enterprise
+member: CN=Administrator,CN=Users,${DOMAINDN}
+objectSid: ${DOMAINSID}-519
+adminCount: 1
+sAMAccountName: Enterprise Admins
+groupType: -2147483640
isCriticalSystemObject: TRUE
dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: Members in this group can modify group policy for the domain
+description: Members in this group can modify group policies for the domain
member: CN=Administrator,CN=Users,${DOMAINDN}
objectSid: ${DOMAINSID}-520
sAMAccountName: Group Policy Creator Owners
isCriticalSystemObject: TRUE
+dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members of this group are Read-Only Domain Controllers in the domain
+objectSid: ${DOMAINSID}-521
+adminCount: 1
+sAMAccountName: Read-Only Domain Controllers
+isCriticalSystemObject: TRUE
+
dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
groupType: -2147483644
isCriticalSystemObject: TRUE
-dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+dn: CN=Allowed RODC Password Replication Group,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: read-only domain controllers
-objectSid: ${DOMAINSID}-521
-sAMAccountName: Read-Only Domain Controllers
+description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
+objectSid: ${DOMAINSID}-571
+sAMAccountName: Allowed RODC Password Replication Group
groupType: -2147483644
isCriticalSystemObject: TRUE
-dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN}
objectClass: top
objectClass: group
-description: enterprise read-only domain controllers
-objectSid: ${DOMAINSID}-498
-sAMAccountName: Enterprise Read-Only Domain Controllers
+description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain.
+member: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
+member: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
+member: CN=Domain Admins,CN=Users,${DOMAINDN}
+member: CN=Cert Publishers,CN=Users,${DOMAINDN}
+member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
+member: CN=Schema Admins,CN=Users,${DOMAINDN}
+member: CN=Domain Controllers,CN=Users,${DOMAINDN}
+member: CN=krbtgt,CN=Users,${DOMAINDN}
+objectSid: ${DOMAINSID}-572
+sAMAccountName: Denied RODC Password Replication Group
groupType: -2147483644
isCriticalSystemObject: TRUE
-dn: CN=Certificate Service DCOM Access,CN=Users,${DOMAINDN}
+# Add foreign security principals
+
+dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
-objectClass: group
-description: Certificate Service DCOM Access
-objectSid: ${DOMAINSID}-574
-sAMAccountName: Certificate Service DCOM Access
-groupType: -2147483644
-isCriticalSystemObject: TRUE
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-4
-dn: CN=Cryptographic Operators,CN=Users,${DOMAINDN}
+dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
-objectClass: group
-description: Cryptographic Operators
-objectSid: ${DOMAINSID}-569
-sAMAccountName: Cryptographic Operators
-groupType: -2147483644
-isCriticalSystemObject: TRUE
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-9
-dn: CN=Event Log Readers,CN=Users,${DOMAINDN}
+dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectClass: top
-objectClass: group
-description: Event Log Readers
-objectSid: ${DOMAINSID}-573
-sAMAccountName: Event Log Readers
-groupType: -2147483644
-isCriticalSystemObject: TRUE
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-11
+
+dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+objectSid: S-1-5-20
+
+# Add builtin objects
dn: CN=Administrators,CN=Builtin,${DOMAINDN}
objectClass: top
sAMAccountName: Administrators
systemFlags: -1946157056
groupType: -2147483643
-privilege: SeSecurityPrivilege
-privilege: SeBackupPrivilege
-privilege: SeRestorePrivilege
-privilege: SeSystemtimePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeRemoteShutdownPrivilege
-privilege: SeTakeOwnershipPrivilege
-privilege: SeDebugPrivilege
-privilege: SeSystemEnvironmentPrivilege
-privilege: SeSystemProfilePrivilege
-privilege: SeProfileSingleProcessPrivilege
-privilege: SeIncreaseBasePriorityPrivilege
-privilege: SeLoadDriverPrivilege
-privilege: SeCreatePagefilePrivilege
-privilege: SeIncreaseQuotaPrivilege
-privilege: SeChangeNotifyPrivilege
-privilege: SeUndockPrivilege
-privilege: SeManageVolumePrivilege
-privilege: SeImpersonatePrivilege
-privilege: SeCreateGlobalPrivilege
-privilege: SeEnableDelegationPrivilege
-privilege: SeInteractiveLogonRight
-privilege: SeNetworkLogonRight
-privilege: SeRemoteInteractiveLogonRight
isCriticalSystemObject: TRUE
dn: CN=Users,CN=Builtin,${DOMAINDN}
objectClass: group
description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
member: CN=Domain Users,CN=Users,${DOMAINDN}
+member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
+member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-545
sAMAccountName: Users
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
+dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members can administer domain user and group accounts
+objectSid: S-1-5-32-548
+adminCount: 1
+sAMAccountName: Account Operators
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
+
+dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members can administer domain servers
+objectSid: S-1-5-32-549
+adminCount: 1
+sAMAccountName: Server Operators
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
+
dn: CN=Print Operators,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
sAMAccountName: Print Operators
systemFlags: -1946157056
groupType: -2147483643
-privilege: SeLoadDriverPrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
isCriticalSystemObject: TRUE
dn: CN=Backup Operators,CN=Builtin,${DOMAINDN}
sAMAccountName: Backup Operators
systemFlags: -1946157056
groupType: -2147483643
-privilege: SeBackupPrivilege
-privilege: SeRestorePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
isCriticalSystemObject: TRUE
dn: CN=Replicator,CN=Builtin,${DOMAINDN}
groupType: -2147483643
isCriticalSystemObject: TRUE
+dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: A backward compatibility group which allows read access on all users and groups in the domain
+member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
+objectSid: S-1-5-32-554
+sAMAccountName: Pre-Windows 2000 Compatible Access
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
+
dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
groupType: -2147483643
isCriticalSystemObject: TRUE
+dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+description: Members of this group can create incoming, one-way trusts to this forest
+objectSid: S-1-5-32-557
+sAMAccountName: Incoming Forest Trust Builders
+systemFlags: -1946157056
+groupType: -2147483643
+isCriticalSystemObject: TRUE
+
dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
objectClass: top
objectClass: group
description: Members of this group have remote access to schedule logging of performance counters on this computer
+member: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-559
sAMAccountName: Performance Log Users
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
-dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
-objectClass: top
-objectClass: group
-description: Members can administer domain servers
-objectSid: S-1-5-32-549
-adminCount: 1
-sAMAccountName: Server Operators
-systemFlags: -1946157056
-groupType: -2147483643
-privilege: SeBackupPrivilege
-privilege: SeSystemtimePrivilege
-privilege: SeRemoteShutdownPrivilege
-privilege: SeRestorePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-isCriticalSystemObject: TRUE
-
-dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
-objectClass: top
-objectClass: group
-description: Members can administer domain user and group accounts
-objectSid: S-1-5-32-548
-adminCount: 1
-sAMAccountName: Account Operators
-systemFlags: -1946157056
-groupType: -2147483643
-privilege: SeInteractiveLogonRight
-isCriticalSystemObject: TRUE
-
-dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
-objectClass: top
-objectClass: group
-description: A backward compatibility group which allows read access on all users and groups in the domain
-objectSid: S-1-5-32-554
-sAMAccountName: Pre-Windows 2000 Compatible Access
-systemFlags: -1946157056
-groupType: -2147483643
-privilege: SeRemoteInteractiveLogonRight
-privilege: SeChangeNotifyPrivilege
-isCriticalSystemObject: TRUE
-
-dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
-objectClass: top
-objectClass: group
-description: Members of this group can create incoming, one-way trusts to this forest
-objectSid: S-1-5-32-557
-sAMAccountName: Incoming Forest Trust Builders
-systemFlags: -1946157056
-groupType: -2147483643
-isCriticalSystemObject: TRUE
-
dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
objectClass: top
objectClass: group
description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
+member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
objectSid: S-1-5-32-560
sAMAccountName: Windows Authorization Access Group
systemFlags: -1946157056
groupType: -2147483643
isCriticalSystemObject: TRUE
+# Add well known security principals
+
dn: CN=WellKnown Security Principals,${CONFIGDN}
objectClass: top
objectClass: container