templating support for foreignSecurityPrincipals to the samdb module.
This is an extension beyond what microsoft does, and has been very
useful :-)
The setup scripts have been modified to use the new template, as has
the SAMR and LSA code.
Other cleanups in LSA remove the assumption that the short domain name
is the first component of the realm.
Also add a lot of useful debug messages, to make it clear how/why the
SamSync may have gone wrong. Many of these should perhaps be hooked
into an error string.
Andrew Bartlett
Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
Copyright (C) Andrew Tridgell 2004
+ Copyright (C) Volker Lendecke 2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
struct samsync_ldb_trusted_domain *trusted_domains;
};
+static NTSTATUS samsync_ldb_add_foreignSecurityPrincipal(TALLOC_CTX *mem_ctx,
+ struct samsync_ldb_state *state,
+ struct dom_sid *sid,
+ char **fsp_dn)
+{
+ const char *sidstr = dom_sid_string(mem_ctx, sid);
+ /* We assume that ForeignSecurityPrincipals are under the BASEDN of the main domain */
+ const char *basedn = samdb_search_string(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN],
+ "dn",
+ "(&(objectClass=container)"
+ "(cn=ForeignSecurityPrincipals))");
+ struct ldb_message *msg;
+ int ret;
+
+ if (!sidstr) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (basedn == NULL) {
+ DEBUG(0, ("Failed to find DN for "
+ "ForeignSecurityPrincipal container\n"));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* add core elements to the ldb_message for the alias */
+ msg->dn = talloc_asprintf(mem_ctx, "CN=%s,%s", sidstr, basedn);
+ if (msg->dn == NULL)
+ return NT_STATUS_NO_MEMORY;
+
+ samdb_msg_add_string(state->sam_ldb, mem_ctx, msg,
+ "objectClass",
+ "foreignSecurityPrincipal");
+
+ *fsp_dn = msg->dn;
+
+ /* create the alias */
+ ret = samdb_add(state->sam_ldb, mem_ctx, msg);
+ if (ret != 0) {
+ DEBUG(0,("Failed to create foreignSecurityPrincipal "
+ "record %s: %s\n", msg->dn, ldb_errstring(state->sam_ldb)));
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ return NT_STATUS_OK;
+}
+
static NTSTATUS samsync_ldb_handle_domain(TALLOC_CTX *mem_ctx,
struct samsync_ldb_state *state,
struct creds_CredentialState *creds,
} else if (ret == 0) {
add = True;
} else if (ret > 1) {
+ DEBUG(0, ("More than one user with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
msg->dn = talloc_steal(msg, msgs[0]->dn);
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_USER;
} else if (ret > 1) {
+ DEBUG(0, ("More than one user with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
add = True;
} else if (ret > 1) {
+ DEBUG(0, ("More than one group/alias with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
msg->dn = talloc_steal(msg, msgs[0]->dn);
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_GROUP;
} else if (ret > 1) {
+ DEBUG(0, ("More than one group/alias with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_GROUP;
} else if (ret > 1) {
+ DEBUG(0, ("More than one group/alias with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
msg->dn = talloc_steal(msg, msgs[0]->dn);
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], group_member->rids[i])));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_USER;
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
add = True;
} else if (ret > 1) {
+ DEBUG(0, ("More than one group/alias with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
msg->dn = talloc_steal(mem_ctx, msgs[0]->dn);
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_ALIAS;
ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid)));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_GROUP;
} else if (ret > 1) {
+ DEBUG(0, ("More than one group/alias with SID: %s\n",
+ dom_sid_string(mem_ctx,
+ dom_sid_add_rid(mem_ctx,
+ state->dom_sid[database],
+ rid))));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
msg->dn = talloc_steal(msg, msgs[0]->dn);
talloc_free(msgs);
for (i=0; i<alias_member->sids.num_sids; i++) {
- /* search for the group, by rid */
- ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
+ char *alias_member_dn;
+ /* search for members, in the top basedn (normal users are builtin aliases) */
+ ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
"(objectSid=%s)",
ldap_encode_ndr_dom_sid(mem_ctx, alias_member->sids.sids[i].sid));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
- return NT_STATUS_NO_SUCH_USER;
- } else if (ret > 1) {
+ NTSTATUS nt_status;
+ nt_status = samsync_ldb_add_foreignSecurityPrincipal(mem_ctx, state,
+ alias_member->sids.sids[i].sid,
+ &alias_member_dn);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+ } else if (ret > 1) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
- samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "member", msgs[0]->dn);
+ alias_member_dn = msgs[0]->dn;
}
+ samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "member", alias_member_dn);
talloc_free(msgs);
}
struct ldb_message *msg;
struct ldb_message **msgs;
+ char *privilage_dn;
int ret;
const char *attrs[] = { NULL };
int i;
return NT_STATUS_NO_MEMORY;
}
- /* search for the account, by sid */
- ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
+ /* search for the account, by sid, in the top basedn */
+ ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
"(objectSid=%s)", ldap_encode_ndr_dom_sid(mem_ctx, sid));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
- return NT_STATUS_NO_SUCH_USER;
+ NTSTATUS nt_status;
+ nt_status = samsync_ldb_add_foreignSecurityPrincipal(mem_ctx, state,
+ sid,
+ &privilage_dn);
+ privilage_dn = talloc_steal(msg, privilage_dn);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
} else if (ret > 1) {
+ DEBUG(0, ("More than one account with SID: %s\n",
+ dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
- msg->dn = talloc_steal(msg, msgs[0]->dn);
+ privilage_dn = talloc_steal(msg, msgs[0]->dn);
}
+ msg->dn = privilage_dn;
+
for (i=0; i< account->privilege_entries; i++) {
samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "privilage",
account->privilege_name[i].string);
return NT_STATUS_NO_MEMORY;
}
- /* search for the account, by sid */
- ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
+ /* search for the account, by sid, in the top basedn */
+ ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
"(objectSid=%s)",
ldap_encode_ndr_dom_sid(mem_ctx, sid));
if (ret == -1) {
+ DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else if (ret == 0) {
return NT_STATUS_NO_SUCH_USER;
} else if (ret > 1) {
+ DEBUG(0, ("More than one account with SID: %s\n",
+ dom_sid_string(mem_ctx, sid)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
} else {
msg->dn = talloc_steal(msg, msgs[0]->dn);
struct lsa_policy_state **_state)
{
struct lsa_policy_state *state;
+ const char *domain_attrs[] = {"nETBIOSName", "nCName", NULL};
+ int ret_domain;
+ struct ldb_message **msgs_domain;
state = talloc(mem_ctx, struct lsa_policy_state);
if (!state) {
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
+ ret_domain = gendb_search(state->sam_ldb, mem_ctx, NULL, &msgs_domain, domain_attrs,
+ "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))",
+ lp_workgroup());
+
+ if (ret_domain == -1) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ if (ret_domain != 1) {
+ return NT_STATUS_NO_SUCH_DOMAIN;
+ }
+
/* work out the domain_dn - useful for so many calls its worth
fetching here */
- state->domain_dn = talloc_reference(state,
- samdb_search_string(state->sam_ldb, mem_ctx, NULL,
- "dn", "(&(objectClass=domain)(!(objectclass=builtinDomain)))"));
+ state->domain_dn = talloc_steal(state, samdb_result_string(msgs_domain[0], "nCName", NULL));
if (!state->domain_dn) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
/* work out the builtin_dn - useful for so many calls its worth
fetching here */
- state->builtin_dn = talloc_reference(state,
- samdb_search_string(state->sam_ldb, mem_ctx, NULL,
- "dn", "objectClass=builtinDomain"));
+ state->builtin_dn = talloc_steal(state,
+ samdb_search_string(state->sam_ldb, mem_ctx, NULL,
+ "dn", "objectClass=builtinDomain"));
if (!state->builtin_dn) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
/* work out the system_dn - useful for so many calls its worth
fetching here */
- state->system_dn = talloc_reference(state,
- samdb_search_string(state->sam_ldb, mem_ctx, state->domain_dn,
- "dn", "(&(objectClass=container)(cn=System))"));
+ state->system_dn = talloc_steal(state,
+ samdb_search_string(state->sam_ldb, mem_ctx, state->domain_dn,
+ "dn", "(&(objectClass=container)(cn=System))"));
if (!state->system_dn) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
- state->domain_sid = samdb_search_dom_sid(state->sam_ldb, state,
- state->domain_dn, "objectSid",
- "dn=%s", state->domain_dn);
+ state->domain_sid = talloc_steal(state,
+ samdb_search_dom_sid(state->sam_ldb, state,
+ state->domain_dn, "objectSid",
+ "dn=%s", state->domain_dn));
if (!state->domain_sid) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
return NT_STATUS_NO_SUCH_DOMAIN;
}
- state->domain_name = talloc_reference(state,
- samdb_search_string(state->sam_ldb, mem_ctx,
- state->domain_dn, "name",
- "dn=%s", state->domain_dn));
- if (!state->domain_name) {
- return NT_STATUS_NO_SUCH_DOMAIN;
- }
+ state->domain_name = talloc_strdup(state,
+ samdb_result_string(msgs_domain[0], "nETBIOSName",
+ lp_workgroup()));
*_state = state;
samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "securityIdentifier", sid_string);
}
- /* pull in all the template attributes. */
- ret = samdb_copy_template(trusted_domain_state->policy->sam_ldb, mem_ctx, msg,
- "(&(name=TemplateTrustedDomain)(objectclass=trustedDomainTemplate))");
- if (ret != 0) {
- DEBUG(0,("Failed to load TemplateTrustedDomain from samdb\n"));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "objectClass", "trustedDomain");
trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msg->dn);
a_state->domain_state = talloc_reference(a_state, d_state);
a_state->account_dn = talloc_steal(a_state, msg->dn);
- /* retrieve the sid for the group just created */
+ /* retrieve the sid for the user just created */
sid = samdb_search_dom_sid(d_state->sam_ctx, a_state,
msg->dn, "objectSid", "dn=%s", msg->dn);
if (sid == NULL) {
/* Check if alias already exists */
name = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
"sAMAccountName",
- "(&pAMAccountName=%s)(objectclass=group))",
+ "(sAMAccountName=%s)(objectclass=group))",
alias_name);
if (name != NULL) {
return NT_STATUS_NO_MEMORY;
}
- /* pull in all the template attributes */
- ret = samdb_copy_template(d_state->sam_ctx, mem_ctx, msg,
- "(&(name=TemplateForeignSecurityPrincipal)"
- "(objectclass=foreignSecurityPrincipalTemplate))");
- if (ret != 0) {
- DEBUG(0,("Failed to load "
- "TemplateForeignSecurityPrincipal "
- "from samdb\n"));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
/* TODO: Hmmm. This feels wrong. How do I find the base dn to
* put the ForeignSecurityPrincipals? d_state->domain_dn does
* not work, this is wrong for the Builtin domain, there's no
memberdn = msg->dn;
- samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
- "name", sidstr);
samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
"objectClass",
"foreignSecurityPrincipal");
- samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
- "objectSid", sidstr);
-
+
/* create the alias */
ret = samdb_add(d_state->sam_ctx, mem_ctx, msg);
if (ret != 0) {
struct ldb_message **msgs;
int ret;
const char * const attrs[] = {"minPwdLength", "pwdProperties", NULL };
- void *sam_ctx;
+ struct ldb_context *sam_ctx;
ZERO_STRUCT(r->out.info);
ret = gendb_search(sam_ctx,
mem_ctx, NULL, &msgs, attrs,
- "(&(name=%s)(objectclass=domain))",
- lp_workgroup());
+ "(&(!(objectClass=builtinDomain))(objectclass=domain))");
if (ret <= 0) {
return NT_STATUS_NO_SUCH_DOMAIN;
}
dn: CN=${SID},CN=ForeignSecurityPrincipals,${BASEDN}
objectClass: top
objectClass: foreignSecurityPrincipal
-cn: ${SID}
description: ${DESC}
-instanceType: 4
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
+unixName: ${UNIXNAME}
uSNCreated: 1
uSNChanged: 1
-showInAdvancedViewOnly: TRUE
-name: ${SID}
-objectGUID: ${NEWGUID}
-objectSid: ${SID}
-objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,${BASEDN}
-unixName: ${UNIXNAME}
";
var sub = new Object();
sub.SID = sid;
/*
provision samba4 - caution, this wipes all existing data!
*/
-function provision(subobj, message)
+function provision(subobj, message, blank)
{
var data = "";
var lp = loadparm_init();
message("Setting up sam.ldb templates\n");
setup_ldb("provision_templates.ldif", "sam.ldb", subobj, NULL, false);
message("Setting up sam.ldb data\n");
- setup_ldb("provision.ldif", "sam.ldb", subobj, data, false);
+ setup_ldb("provision.ldif", "sam.ldb", subobj, NULL, false);
+ if (blank == false) {
+ message("Setting up sam.ldb users and groups\n");
+ setup_ldb("provision_users.ldif", "sam.ldb", subobj, data, false);
+ }
message("Setting up rootdse.ldb\n");
setup_ldb("rootdse.ldif", "rootdse.ldb", subobj);
message("Setting up secrets.ldb\n");
'nogroup=s',
'wheel=s',
'users=s',
- 'quiet');
+ 'quiet',
+ 'blank');
if (ok == false) {
println("Failed to parse options: " + options.ERROR);
return -1;
--wheel GROUPNAME choose 'wheel' privileged group
--users GROUPNAME choose 'users' group
--quiet Be quiet
+ --blank do not add users or groups, just the structure
You must provide at least a realm and domain
message("Provisioning for %s in realm %s\n", subobj.DOMAIN, subobj.REALM);
message("Using administrator password: %s\n", subobj.ADMINPASS);
-provision(subobj, message);
+provision(subobj, message, options["blank"] != undefined);
message("All OK\n");
return 0;
pwdProperties: 1
pwdHistoryLength: 24
objectSid: ${DOMAINSID}
+oEMInformation: Provisioned by Samba4: ${LDAPTIME}
serverState: 1
nTMixedDomain: 1
msDS-Behavior-Version: 0
objectCategory: CN=Builtin-Domain,CN=Schema,CN=Configuration,${BASEDN}
isCriticalSystemObject: TRUE
-dn: CN=Administrator,CN=Users,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: Administrator
-description: Built-in account for administering the computer/domain
-uSNCreated: 1
-memberOf: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
-memberOf: CN=Domain Admins,CN=Users,${BASEDN}
-memberOf: CN=Enterprise Admins,CN=Users,${BASEDN}
-memberOf: CN=Schema Admins,CN=Users,${BASEDN}
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-userAccountControl: 0x10200
-objectSid: ${DOMAINSID}-500
-adminCount: 1
-accountExpires: -1
-sAMAccountName: Administrator
-isCriticalSystemObject: TRUE
-unicodePwd: ${ADMINPASS}
-unixName: ${ROOT}
-
-dn: CN=Guest,CN=Users,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: Guest
-description: Built-in account for guest access to the computer/domain
-uSNCreated: 1
-memberOf: CN=Guests,CN=Builtin,${BASEDN}
-uSNChanged: 1
-userAccountControl: 0x10222
-primaryGroupID: 514
-objectSid: ${DOMAINSID}-501
-sAMAccountName: Guest
-isCriticalSystemObject: TRUE
-
-dn: CN=Administrators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Administrators
-description: Administrators have complete and unrestricted access to the computer/domain
-member: CN=Domain Admins,CN=Users,${BASEDN}
-member: CN=Enterprise Admins,CN=Users,${BASEDN}
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-544
-adminCount: 1
-sAMAccountName: Administrators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-privilege: SeSecurityPrivilege
-privilege: SeBackupPrivilege
-privilege: SeRestorePrivilege
-privilege: SeSystemtimePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeRemoteShutdownPrivilege
-privilege: SeTakeOwnershipPrivilege
-privilege: SeDebugPrivilege
-privilege: SeSystemEnvironmentPrivilege
-privilege: SeSystemProfilePrivilege
-privilege: SeProfileSingleProcessPrivilege
-privilege: SeIncreaseBasePriorityPrivilege
-privilege: SeLoadDriverPrivilege
-privilege: SeCreatePagefilePrivilege
-privilege: SeIncreaseQuotaPrivilege
-privilege: SeChangeNotifyPrivilege
-privilege: SeUndockPrivilege
-privilege: SeManageVolumePrivilege
-privilege: SeImpersonatePrivilege
-privilege: SeCreateGlobalPrivilege
-privilege: SeEnableDelegationPrivilege
-privilege: SeInteractiveLogonRight
-privilege: SeNetworkLogonRight
-privilege: SeRemoteInteractiveLogonRight
-
-
-dn: CN=Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Users
-description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
-member: CN=Domain Users,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-545
-sAMAccountName: Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Guests,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Guests
-description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
-member: CN=Domain Guests,CN=Users,${BASEDN}
-member: CN=Guest,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-546
-sAMAccountName: Guests
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${NOGROUP}
-
-dn: CN=Print Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Print Operators
-description: Members can administer domain printers
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-550
-adminCount: 1
-sAMAccountName: Print Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeLoadDriverPrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-
-dn: CN=Backup Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Backup Operators
-description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-551
-adminCount: 1
-sAMAccountName: Backup Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeBackupPrivilege
-privilege: SeRestorePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-
-dn: CN=Replicator,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Replicator
-description: Supports file replication in a domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-552
-adminCount: 1
-sAMAccountName: Replicator
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Remote Desktop Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Remote Desktop Users
-description: Members in this group are granted the right to logon remotely
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-555
-sAMAccountName: Remote Desktop Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Network Configuration Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Network Configuration Operators
-description: Members in this group can have some administrative privileges to manage configuration of networking features
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-556
-sAMAccountName: Network Configuration Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Performance Monitor Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Performance Monitor Users
-description: Members of this group have remote access to monitor this computer
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-558
-sAMAccountName: Performance Monitor Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Performance Log Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Performance Log Users
-description: Members of this group have remote access to schedule logging of performance counters on this computer
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-559
-sAMAccountName: Performance Log Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=${NETBIOSNAME},OU=Domain Controllers,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: computer
-cn: ${NETBIOSNAME}
-uSNCreated: 1
-uSNChanged: 1
-objectGUID: ${HOSTGUID}
-userAccountControl: 532480
-lastLogon: 127273269057298624
-localPolicyFlags: 0
-pwdLastSet: 127258826171655328
-primaryGroupID: 516
-objectSid: ${DOMAINSID}-1000
-accountExpires: 9223372036854775807
-sAMAccountName: ${NETBIOSNAME}$
-sAMAccountType: 805306369
-operatingSystem: Samba
-operatingSystemVersion: 4.0
-dNSHostName: ${DNSNAME}
-isCriticalSystemObject: TRUE
-unicodePwd: ${MACHINEPASS}
-servicePrincipalName: HOST/${DNSNAME}
-servicePrincipalName: HOST/${NETBIOSNAME}
-msDS-KeyVersionNumber: 1
-
-dn: CN=krbtgt,CN=Users,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: krbtgt
-description: Key Distribution Center Service Account
-uSNCreated: 1
-uSNChanged: 1
-showInAdvancedViewOnly: TRUE
-userAccountControl: 514
-pwdLastSet: 127258826179466560
-objectSid: ${DOMAINSID}-502
-adminCount: 1
-accountExpires: 9223372036854775807
-sAMAccountName: krbtgt
-sAMAccountType: 805306368
-servicePrincipalName: kadmin/changepw
-isCriticalSystemObject: TRUE
-unicodePwd: ${KRBTGTPASS}
-
-dn: CN=Domain Computers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Computers
-description: All workstations and servers joined to the domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-515
-sAMAccountName: Domain Computers
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Domain Controllers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Controllers
-description: All domain controllers in the domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-516
-adminCount: 1
-sAMAccountName: Domain Controllers
-isCriticalSystemObject: TRUE
-
-dn: CN=Schema Admins,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Schema Admins
-description: Designated administrators of the schema
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-518
-adminCount: 1
-sAMAccountName: Schema Admins
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=Enterprise Admins,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Enterprise Admins
-description: Designated administrators of the enterprise
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-519
-adminCount: 1
-sAMAccountName: Enterprise Admins
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=Cert Publishers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Cert Publishers
-description: Members of this group are permitted to publish certificates to the Active Directory
-uSNCreated: 1
-uSNChanged: 1
-groupType: 0x80000004
-sAMAccountType: 0x20000000
-objectSid: ${DOMAINSID}-517
-sAMAccountName: Cert Publishers
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Domain Admins,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Admins
-description: Designated administrators of the domain
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-512
-adminCount: 1
-sAMAccountName: Domain Admins
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=Domain Users,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Users
-description: All domain users
-uSNCreated: 1
-memberOf: CN=Users,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-513
-sAMAccountName: Domain Users
-isCriticalSystemObject: TRUE
-unixName: ${USERS}
-
-dn: CN=Domain Guests,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Guests
-description: All domain guests
-uSNCreated: 1
-memberOf: CN=Guests,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-514
-sAMAccountName: Domain Guests
-isCriticalSystemObject: TRUE
-
-dn: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Group Policy Creator Owners
-description: Members in this group can modify group policy for the domain
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-520
-sAMAccountName: Group Policy Creator Owners
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=RAS and IAS Servers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: RAS and IAS Servers
-description: Servers in this group can access remote access properties of users
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-553
-sAMAccountName: RAS and IAS Servers
-sAMAccountType: 0x20000000
-groupType: 0x80000004
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Server Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Server Operators
-description: Members can administer domain servers
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-549
-adminCount: 1
-sAMAccountName: Server Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeBackupPrivilege
-privilege: SeSystemtimePrivilege
-privilege: SeRemoteShutdownPrivilege
-privilege: SeRestorePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-
-dn: CN=Account Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Account Operators
-description: Members can administer domain user and group accounts
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-548
-adminCount: 1
-sAMAccountName: Account Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeInteractiveLogonRight
-
###############################
# Configuration Naming Context
###############################
objectClass: Template
objectClass: foreignSecurityPrincipalTemplate
cn: TemplateForeignSecurityPrincipal
+instanceType: 4
+showInAdvancedViewOnly: TRUE
+objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,${BASEDN}
dn: CN=TemplateSecret,CN=Templates,${BASEDN}
objectClass: top
--- /dev/null
+dn: CN=Administrator,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: Administrator
+description: Built-in account for administering the computer/domain
+uSNCreated: 1
+memberOf: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
+memberOf: CN=Domain Admins,CN=Users,${BASEDN}
+memberOf: CN=Enterprise Admins,CN=Users,${BASEDN}
+memberOf: CN=Schema Admins,CN=Users,${BASEDN}
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+userAccountControl: 0x10200
+objectSid: ${DOMAINSID}-500
+adminCount: 1
+accountExpires: -1
+sAMAccountName: Administrator
+isCriticalSystemObject: TRUE
+unicodePwd: ${ADMINPASS}
+unixName: ${ROOT}
+
+dn: CN=Guest,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: Guest
+description: Built-in account for guest access to the computer/domain
+uSNCreated: 1
+memberOf: CN=Guests,CN=Builtin,${BASEDN}
+uSNChanged: 1
+userAccountControl: 0x10222
+primaryGroupID: 514
+objectSid: ${DOMAINSID}-501
+sAMAccountName: Guest
+isCriticalSystemObject: TRUE
+
+dn: CN=Administrators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Administrators
+description: Administrators have complete and unrestricted access to the computer/domain
+member: CN=Domain Admins,CN=Users,${BASEDN}
+member: CN=Enterprise Admins,CN=Users,${BASEDN}
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-544
+adminCount: 1
+sAMAccountName: Administrators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+privilege: SeSecurityPrivilege
+privilege: SeBackupPrivilege
+privilege: SeRestorePrivilege
+privilege: SeSystemtimePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeRemoteShutdownPrivilege
+privilege: SeTakeOwnershipPrivilege
+privilege: SeDebugPrivilege
+privilege: SeSystemEnvironmentPrivilege
+privilege: SeSystemProfilePrivilege
+privilege: SeProfileSingleProcessPrivilege
+privilege: SeIncreaseBasePriorityPrivilege
+privilege: SeLoadDriverPrivilege
+privilege: SeCreatePagefilePrivilege
+privilege: SeIncreaseQuotaPrivilege
+privilege: SeChangeNotifyPrivilege
+privilege: SeUndockPrivilege
+privilege: SeManageVolumePrivilege
+privilege: SeImpersonatePrivilege
+privilege: SeCreateGlobalPrivilege
+privilege: SeEnableDelegationPrivilege
+privilege: SeInteractiveLogonRight
+privilege: SeNetworkLogonRight
+privilege: SeRemoteInteractiveLogonRight
+
+
+dn: CN=${NETBIOSNAME},OU=Domain Controllers,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: computer
+cn: ${NETBIOSNAME}
+uSNCreated: 1
+uSNChanged: 1
+objectGUID: ${HOSTGUID}
+userAccountControl: 532480
+lastLogon: 127273269057298624
+localPolicyFlags: 0
+pwdLastSet: 127258826171655328
+primaryGroupID: 516
+objectSid: ${DOMAINSID}-1000
+accountExpires: 9223372036854775807
+sAMAccountName: ${NETBIOSNAME}$
+sAMAccountType: 805306369
+operatingSystem: Samba
+operatingSystemVersion: 4.0
+dNSHostName: ${DNSNAME}
+isCriticalSystemObject: TRUE
+unicodePwd: ${MACHINEPASS}
+servicePrincipalName: HOST/${DNSNAME}
+servicePrincipalName: HOST/${NETBIOSNAME}
+msDS-KeyVersionNumber: 1
+
+
+dn: CN=Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Users
+description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
+member: CN=Domain Users,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-545
+sAMAccountName: Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Guests,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Guests
+description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
+member: CN=Domain Guests,CN=Users,${BASEDN}
+member: CN=Guest,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-546
+sAMAccountName: Guests
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${NOGROUP}
+
+dn: CN=Print Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Print Operators
+description: Members can administer domain printers
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-550
+adminCount: 1
+sAMAccountName: Print Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeLoadDriverPrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Backup Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Backup Operators
+description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-551
+adminCount: 1
+sAMAccountName: Backup Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeBackupPrivilege
+privilege: SeRestorePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Replicator,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Replicator
+description: Supports file replication in a domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-552
+adminCount: 1
+sAMAccountName: Replicator
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Remote Desktop Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Remote Desktop Users
+description: Members in this group are granted the right to logon remotely
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-555
+sAMAccountName: Remote Desktop Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Network Configuration Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Network Configuration Operators
+description: Members in this group can have some administrative privileges to manage configuration of networking features
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-556
+sAMAccountName: Network Configuration Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Performance Monitor Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Performance Monitor Users
+description: Members of this group have remote access to monitor this computer
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-558
+sAMAccountName: Performance Monitor Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Performance Log Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Performance Log Users
+description: Members of this group have remote access to schedule logging of performance counters on this computer
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-559
+sAMAccountName: Performance Log Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=krbtgt,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: krbtgt
+description: Key Distribution Center Service Account
+uSNCreated: 1
+uSNChanged: 1
+showInAdvancedViewOnly: TRUE
+userAccountControl: 514
+pwdLastSet: 127258826179466560
+objectSid: ${DOMAINSID}-502
+adminCount: 1
+accountExpires: 9223372036854775807
+sAMAccountName: krbtgt
+sAMAccountType: 805306368
+servicePrincipalName: kadmin/changepw
+isCriticalSystemObject: TRUE
+unicodePwd: ${KRBTGTPASS}
+
+dn: CN=Domain Computers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Computers
+description: All workstations and servers joined to the domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-515
+sAMAccountName: Domain Computers
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Controllers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Controllers
+description: All domain controllers in the domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-516
+adminCount: 1
+sAMAccountName: Domain Controllers
+isCriticalSystemObject: TRUE
+
+dn: CN=Schema Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Schema Admins
+description: Designated administrators of the schema
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-518
+adminCount: 1
+sAMAccountName: Schema Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Enterprise Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Enterprise Admins
+description: Designated administrators of the enterprise
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-519
+adminCount: 1
+sAMAccountName: Enterprise Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Cert Publishers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Cert Publishers
+description: Members of this group are permitted to publish certificates to the Active Directory
+uSNCreated: 1
+uSNChanged: 1
+groupType: 0x80000004
+sAMAccountType: 0x20000000
+objectSid: ${DOMAINSID}-517
+sAMAccountName: Cert Publishers
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Admins
+description: Designated administrators of the domain
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-512
+adminCount: 1
+sAMAccountName: Domain Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Domain Users,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Users
+description: All domain users
+uSNCreated: 1
+memberOf: CN=Users,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-513
+sAMAccountName: Domain Users
+isCriticalSystemObject: TRUE
+unixName: ${USERS}
+
+dn: CN=Domain Guests,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Guests
+description: All domain guests
+uSNCreated: 1
+memberOf: CN=Guests,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-514
+sAMAccountName: Domain Guests
+isCriticalSystemObject: TRUE
+
+dn: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Group Policy Creator Owners
+description: Members in this group can modify group policy for the domain
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-520
+sAMAccountName: Group Policy Creator Owners
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=RAS and IAS Servers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: RAS and IAS Servers
+description: Servers in this group can access remote access properties of users
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-553
+sAMAccountName: RAS and IAS Servers
+sAMAccountType: 0x20000000
+groupType: 0x80000004
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Server Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Server Operators
+description: Members can administer domain servers
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-549
+adminCount: 1
+sAMAccountName: Server Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeBackupPrivilege
+privilege: SeSystemtimePrivilege
+privilege: SeRemoteShutdownPrivilege
+privilege: SeRestorePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Account Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Account Operators
+description: Members can administer domain user and group accounts
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-548
+adminCount: 1
+sAMAccountName: Account Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeInteractiveLogonRight
+
git.samba.org / kai / samba.git / commitdiff