search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:provision_users.ldif - Fix memberships regarding the denied password RODC replicat...
[Samba/ekacnet.git] / source4 / setup / provision_users.ldif
blob934fc0538e702b5a069f8dcfc19bc6b9ee9a3722
1 # Add default primary groups (domain users, domain guests, domain computers &
2 # domain controllers) - needed for the users to find valid primary groups
3 # (samldb module)
4
5 dn: CN=Domain Users,CN=Users,${DOMAINDN}
6 objectClass: top
7 objectClass: group
8 description: All domain users
9 objectSid: ${DOMAINSID}-513
10 sAMAccountName: Domain Users
11 isCriticalSystemObject: TRUE
12
13 dn: CN=Domain Guests,CN=Users,${DOMAINDN}
14 objectClass: top
15 objectClass: group
16 description: All domain guests
17 objectSid: ${DOMAINSID}-514
18 sAMAccountName: Domain Guests
19 isCriticalSystemObject: TRUE
20
21 dn: CN=Domain Computers,CN=Users,${DOMAINDN}
22 objectClass: top
23 objectClass: group
24 description: All workstations and servers joined to the domain
25 objectSid: ${DOMAINSID}-515
26 sAMAccountName: Domain Computers
27 isCriticalSystemObject: TRUE
28
29 dn: CN=Domain Controllers,CN=Users,${DOMAINDN}
30 objectClass: top
31 objectClass: group
32 description: All domain controllers in the domain
33 objectSid: ${DOMAINSID}-516
34 adminCount: 1
35 sAMAccountName: Domain Controllers
36 isCriticalSystemObject: TRUE
37
38 # Add users
39
40 dn: CN=Administrator,CN=Users,${DOMAINDN}
41 objectClass: user
42 description: Built-in account for administering the computer/domain
43 userAccountControl: 66048
44 objectSid: ${DOMAINSID}-500
45 adminCount: 1
46 accountExpires: 9223372036854775807
47 sAMAccountName: Administrator
48 userPassword:: ${ADMINPASS_B64}
49 isCriticalSystemObject: TRUE
50
51 dn: CN=Guest,CN=Users,${DOMAINDN}
52 objectClass: user
53 description: Built-in account for guest access to the computer/domain
54 userAccountControl: 66082
55 primaryGroupID: 514
56 objectSid: ${DOMAINSID}-501
57 sAMAccountName: Guest
58 isCriticalSystemObject: TRUE
59
60 dn: CN=krbtgt,CN=Users,${DOMAINDN}
61 objectClass: top
62 objectClass: person
63 objectClass: organizationalPerson
64 objectClass: user
65 description: Key Distribution Center Service Account
66 showInAdvancedViewOnly: TRUE
67 userAccountControl: 514
68 objectSid: ${DOMAINSID}-502
69 adminCount: 1
70 accountExpires: 9223372036854775807
71 sAMAccountName: krbtgt
72 servicePrincipalName: kadmin/changepw
73 userPassword:: ${KRBTGTPASS_B64}
74 isCriticalSystemObject: TRUE
75
76 # Add other groups
77
78 dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN}
79 objectClass: top
80 objectClass: group
81 description: Members of this group are Read-Only Domain Controllers in the enterprise
82 objectSid: ${DOMAINSID}-498
83 sAMAccountName: Enterprise Read-Only Domain Controllers
84 groupType: -2147483640
85 isCriticalSystemObject: TRUE
86
87 dn: CN=Domain Admins,CN=Users,${DOMAINDN}
88 objectClass: top
89 objectClass: group
90 description: Designated administrators of the domain
91 member: CN=Administrator,CN=Users,${DOMAINDN}
92 objectSid: ${DOMAINSID}-512
93 adminCount: 1
94 sAMAccountName: Domain Admins
95 isCriticalSystemObject: TRUE
96
97 dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
98 objectClass: top
99 objectClass: group
100 description: Members of this group are permitted to publish certificates to the Active Directory
101 objectSid: ${DOMAINSID}-517
102 sAMAccountName: Cert Publishers
103 groupType: -2147483644
104 isCriticalSystemObject: TRUE
105
106 dn: CN=Schema Admins,CN=Users,${DOMAINDN}
107 objectClass: top
108 objectClass: group
109 description: Designated administrators of the schema
110 member: CN=Administrator,CN=Users,${DOMAINDN}
111 objectSid: ${DOMAINSID}-518
112 adminCount: 1
113 sAMAccountName: Schema Admins
114 groupType: -2147483640
115 isCriticalSystemObject: TRUE
116
117 dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
118 objectClass: top
119 objectClass: group
120 description: Designated administrators of the enterprise
121 member: CN=Administrator,CN=Users,${DOMAINDN}
122 objectSid: ${DOMAINSID}-519
123 adminCount: 1
124 sAMAccountName: Enterprise Admins
125 groupType: -2147483640
126 isCriticalSystemObject: TRUE
127
128 dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
129 objectClass: top
130 objectClass: group
131 description: Members in this group can modify group policy for the domain
132 member: CN=Administrator,CN=Users,${DOMAINDN}
133 objectSid: ${DOMAINSID}-520
134 sAMAccountName: Group Policy Creator Owners
135 isCriticalSystemObject: TRUE
136
137 dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
138 objectClass: top
139 objectClass: group
140 description: Members of this group are Read-Only Domain Controllers in the domain
141 objectSid: ${DOMAINSID}-521
142 adminCount: 1
143 sAMAccountName: Read-Only Domain Controllers
144 isCriticalSystemObject: TRUE
145
146 dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
147 objectClass: top
148 objectClass: group
149 description: Servers in this group can access remote access properties of users
150 objectSid: ${DOMAINSID}-553
151 sAMAccountName: RAS and IAS Servers
152 groupType: -2147483644
153 isCriticalSystemObject: TRUE
154
155 dn: CN=Allowed RODC Password Replication Group,CN=Users,${DOMAINDN}
156 objectClass: top
157 objectClass: group
158 description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
159 objectSid: ${DOMAINSID}-571
160 sAMAccountName: Allowed RODC Password Replication Group
161 groupType: -2147483644
162 isCriticalSystemObject: TRUE
163
164 dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN}
165 objectClass: top
166 objectClass: group
167 description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain.
168 member: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
169 member: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
170 member: CN=Domain Admins,CN=Users,${DOMAINDN}
171 member: CN=Cert Publishers,CN=Users,${DOMAINDN}
172 member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
173 member: CN=Schema Admins,CN=Users,${DOMAINDN}
174 member: CN=Domain Controllers,CN=Users,${DOMAINDN}
175 member: CN=krbtgt,CN=Users,${DOMAINDN}
176 objectSid: ${DOMAINSID}-572
177 sAMAccountName: Denied RODC Password Replication Group
178 groupType: -2147483644
179 isCriticalSystemObject: TRUE
180
181 # Add foreign security principals
182
183 dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
184 objectClass: top
185 objectClass: foreignSecurityPrincipal
186 objectSid: S-1-5-4
187
188 dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
189 objectClass: top
190 objectClass: foreignSecurityPrincipal
191 objectSid: S-1-5-9
192
193 dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
194 objectClass: top
195 objectClass: foreignSecurityPrincipal
196 objectSid: S-1-5-11
197
198 dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
199 objectClass: top
200 objectClass: foreignSecurityPrincipal
201 objectSid: S-1-5-20
202
203 # Add builtin objects
204
205 dn: CN=Administrators,CN=Builtin,${DOMAINDN}
206 objectClass: top
207 objectClass: group
208 description: Administrators have complete and unrestricted access to the computer/domain
209 member: CN=Domain Admins,CN=Users,${DOMAINDN}
210 member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
211 member: CN=Administrator,CN=Users,${DOMAINDN}
212 objectSid: S-1-5-32-544
213 adminCount: 1
214 sAMAccountName: Administrators
215 systemFlags: -1946157056
216 groupType: -2147483643
217 isCriticalSystemObject: TRUE
218
219 dn: CN=Users,CN=Builtin,${DOMAINDN}
220 objectClass: top
221 objectClass: group
222 description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
223 member: CN=Domain Users,CN=Users,${DOMAINDN}
224 member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
225 member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
226 objectSid: S-1-5-32-545
227 sAMAccountName: Users
228 systemFlags: -1946157056
229 groupType: -2147483643
230 isCriticalSystemObject: TRUE
231
232 dn: CN=Guests,CN=Builtin,${DOMAINDN}
233 objectClass: top
234 objectClass: group
235 description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
236 member: CN=Domain Guests,CN=Users,${DOMAINDN}
237 member: CN=Guest,CN=Users,${DOMAINDN}
238 objectSid: S-1-5-32-546
239 sAMAccountName: Guests
240 systemFlags: -1946157056
241 groupType: -2147483643
242 isCriticalSystemObject: TRUE
243
244 dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
245 objectClass: top
246 objectClass: group
247 description: Members can administer domain user and group accounts
248 objectSid: S-1-5-32-548
249 adminCount: 1
250 sAMAccountName: Account Operators
251 systemFlags: -1946157056
252 groupType: -2147483643
253 isCriticalSystemObject: TRUE
254
255 dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
256 objectClass: top
257 objectClass: group
258 description: Members can administer domain servers
259 objectSid: S-1-5-32-549
260 adminCount: 1
261 sAMAccountName: Server Operators
262 systemFlags: -1946157056
263 groupType: -2147483643
264 isCriticalSystemObject: TRUE
265
266 dn: CN=Print Operators,CN=Builtin,${DOMAINDN}
267 objectClass: top
268 objectClass: group
269 description: Members can administer domain printers
270 objectSid: S-1-5-32-550
271 adminCount: 1
272 sAMAccountName: Print Operators
273 systemFlags: -1946157056
274 groupType: -2147483643
275 isCriticalSystemObject: TRUE
276
277 dn: CN=Backup Operators,CN=Builtin,${DOMAINDN}
278 objectClass: top
279 objectClass: group
280 description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
281 objectSid: S-1-5-32-551
282 adminCount: 1
283 sAMAccountName: Backup Operators
284 systemFlags: -1946157056
285 groupType: -2147483643
286 isCriticalSystemObject: TRUE
287
288 dn: CN=Replicator,CN=Builtin,${DOMAINDN}
289 objectClass: top
290 objectClass: group
291 description: Supports file replication in a domain
292 objectSid: S-1-5-32-552
293 adminCount: 1
294 sAMAccountName: Replicator
295 systemFlags: -1946157056
296 groupType: -2147483643
297 isCriticalSystemObject: TRUE
298
299 dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
300 objectClass: top
301 objectClass: group
302 description: A backward compatibility group which allows read access on all users and groups in the domain
303 member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
304 objectSid: S-1-5-32-554
305 sAMAccountName: Pre-Windows 2000 Compatible Access
306 systemFlags: -1946157056
307 groupType: -2147483643
308 isCriticalSystemObject: TRUE
309
310 dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN}
311 objectClass: top
312 objectClass: group
313 description: Members in this group are granted the right to logon remotely
314 objectSid: S-1-5-32-555
315 sAMAccountName: Remote Desktop Users
316 systemFlags: -1946157056
317 groupType: -2147483643
318 isCriticalSystemObject: TRUE
319
320 dn: CN=Network Configuration Operators,CN=Builtin,${DOMAINDN}
321 objectClass: top
322 objectClass: group
323 description: Members in this group can have some administrative privileges to manage configuration of networking features
324 objectSid: S-1-5-32-556
325 sAMAccountName: Network Configuration Operators
326 systemFlags: -1946157056
327 groupType: -2147483643
328 isCriticalSystemObject: TRUE
329
330 dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
331 objectClass: top
332 objectClass: group
333 description: Members of this group can create incoming, one-way trusts to this forest
334 objectSid: S-1-5-32-557
335 sAMAccountName: Incoming Forest Trust Builders
336 systemFlags: -1946157056
337 groupType: -2147483643
338 isCriticalSystemObject: TRUE
339
340 dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
341 objectClass: top
342 objectClass: group
343 description: Members of this group have remote access to monitor this computer
344 objectSid: S-1-5-32-558
345 sAMAccountName: Performance Monitor Users
346 systemFlags: -1946157056
347 groupType: -2147483643
348 isCriticalSystemObject: TRUE
349
350 dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
351 objectClass: top
352 objectClass: group
353 description: Members of this group have remote access to schedule logging of performance counters on this computer
354 member: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
355 objectSid: S-1-5-32-559
356 sAMAccountName: Performance Log Users
357 systemFlags: -1946157056
358 groupType: -2147483643
359 isCriticalSystemObject: TRUE
360
361 dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
362 objectClass: top
363 objectClass: group
364 description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
365 member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
366 objectSid: S-1-5-32-560
367 sAMAccountName: Windows Authorization Access Group
368 systemFlags: -1946157056
369 groupType: -2147483643
370 isCriticalSystemObject: TRUE
371
372 dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
373 objectClass: top
374 objectClass: group
375 description: Terminal Server License Servers
376 objectSid: S-1-5-32-561
377 sAMAccountName: Terminal Server License Servers
378 systemFlags: -1946157056
379 groupType: -2147483643
380 isCriticalSystemObject: TRUE
381
382 dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
383 objectClass: top
384 objectClass: group
385 description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
386 objectSid: S-1-5-32-562
387 sAMAccountName: Distributed COM Users
388 systemFlags: -1946157056
389 groupType: -2147483643
390 isCriticalSystemObject: TRUE
391
392 dn: CN=Cryptographic Operators,CN=Builtin,${DOMAINDN}
393 objectClass: top
394 objectClass: group
395 description: Members are authorized to perform cryptographic operations.
396 objectSid: S-1-5-32-569
397 sAMAccountName: Cryptographic Operators
398 systemFlags: -1946157056
399 groupType: -2147483643
400 isCriticalSystemObject: TRUE
401
402 dn: CN=Event Log Readers,CN=Builtin,${DOMAINDN}
403 objectClass: top
404 objectClass: group
405 description: Members of this group can read event logs from local machine.
406 objectSid: S-1-5-32-573
407 sAMAccountName: Event Log Readers
408 systemFlags: -1946157056
409 groupType: -2147483643
410 isCriticalSystemObject: TRUE
411
412 dn: CN=Certificate Service DCOM Access,CN=Builtin,${DOMAINDN}
413 objectClass: top
414 objectClass: group
415 description: Members of this group are allowed to connect to Certification Authorities in the enterprise.
416 objectSid: S-1-5-32-574
417 sAMAccountName: Certificate Service DCOM Access
418 systemFlags: -1946157056
419 groupType: -2147483643
420 isCriticalSystemObject: TRUE
421
422 # Add well known security principals
423
424 dn: CN=WellKnown Security Principals,${CONFIGDN}
425 objectClass: top
426 objectClass: container
427 systemFlags: -2147483648
428
429 dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
430 objectClass: top
431 objectClass: foreignSecurityPrincipal
432 objectSid: S-1-5-7
433
434 dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN}
435 objectClass: top
436 objectClass: foreignSecurityPrincipal
437 objectSid: S-1-5-11
438
439 dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN}
440 objectClass: top
441 objectClass: foreignSecurityPrincipal
442 objectSid: S-1-5-3
443
444 dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN}
445 objectClass: top
446 objectClass: foreignSecurityPrincipal
447 objectSid: S-1-3-1
448
449 dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN}
450 objectClass: top
451 objectClass: foreignSecurityPrincipal
452 objectSid: S-1-3-0
453
454 dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN}
455 objectClass: top
456 objectClass: foreignSecurityPrincipal
457 objectSid: S-1-5-1
458
459 dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN}
460 objectClass: top
461 objectClass: foreignSecurityPrincipal
462 objectSid: S-1-5-64-21
463
464 dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN}
465 objectClass: top
466 objectClass: foreignSecurityPrincipal
467 objectSid: S-1-5-9
468
469 dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN}
470 objectClass: top
471 objectClass: foreignSecurityPrincipal
472 objectSid: S-1-1-0
473
474 dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN}
475 objectClass: top
476 objectClass: foreignSecurityPrincipal
477 objectSid: S-1-5-4
478
479 dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
480 objectClass: top
481 objectClass: foreignSecurityPrincipal
482 objectSid: S-1-5-19
483
484 dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN}
485 objectClass: top
486 objectClass: foreignSecurityPrincipal
487 objectSid: S-1-5-2
488
489 dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN}
490 objectClass: top
491 objectClass: foreignSecurityPrincipal
492 objectSid: S-1-5-20
493
494 dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN}
495 objectClass: top
496 objectClass: foreignSecurityPrincipal
497 objectSid: S-1-5-64-10
498
499 dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN}
500 objectClass: top
501 objectClass: foreignSecurityPrincipal
502 objectSid: S-1-5-1000
503
504 dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN}
505 objectClass: top
506 objectClass: foreignSecurityPrincipal
507 objectSid: S-1-5-8
508
509 dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN}
510 objectClass: top
511 objectClass: foreignSecurityPrincipal
512 objectSid: S-1-5-14
513
514 dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN}
515 objectClass: top
516 objectClass: foreignSecurityPrincipal
517 objectSid: S-1-5-12
518
519 dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN}
520 objectClass: top
521 objectClass: foreignSecurityPrincipal
522 objectSid: S-1-5-64-14
523
524 dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN}
525 objectClass: top
526 objectClass: foreignSecurityPrincipal
527 objectSid: S-1-5-10
528
529 dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN}
530 objectClass: top
531 objectClass: foreignSecurityPrincipal
532 objectSid: S-1-5-6
533
534 dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN}
535 objectClass: top
536 objectClass: foreignSecurityPrincipal
537 objectSid: S-1-5-13
538
539 dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN}
540 objectClass: top
541 objectClass: foreignSecurityPrincipal
542 objectSid: S-1-5-15
543
544 dn: CN=Well-Known-Security-Id-System,CN=WellKnown Security Principals,${CONFIGDN}
545 objectClass: top
546 objectClass: foreignSecurityPrincipal
547 objectSid: S-1-5-18