librpc: rerun make idl
[Samba/nascimento.git] / source4 / setup / provision_users.ldif
bloba2e544159a0e71cbfda7769ad075b583f3f32fab
1 # Add default primary groups (domain users, domain guests, domain computers &
2 # domain controllers) - needed for the users to find valid primary groups
3 # (samldb module)
5 dn: CN=Domain Users,CN=Users,${DOMAINDN}
6 objectClass: top
7 objectClass: group
8 description: All domain users
9 objectSid: ${DOMAINSID}-513
10 sAMAccountName: Domain Users
11 isCriticalSystemObject: TRUE
13 dn: CN=Domain Guests,CN=Users,${DOMAINDN}
14 objectClass: top
15 objectClass: group
16 description: All domain guests
17 objectSid: ${DOMAINSID}-514
18 sAMAccountName: Domain Guests
19 isCriticalSystemObject: TRUE
21 dn: CN=Domain Computers,CN=Users,${DOMAINDN}
22 objectClass: top
23 objectClass: group
24 description: All workstations and servers joined to the domain
25 objectSid: ${DOMAINSID}-515
26 sAMAccountName: Domain Computers
27 isCriticalSystemObject: TRUE
29 dn: CN=Domain Controllers,CN=Users,${DOMAINDN}
30 objectClass: top
31 objectClass: group
32 description: All domain controllers in the domain
33 objectSid: ${DOMAINSID}-516
34 adminCount: 1
35 sAMAccountName: Domain Controllers
36 isCriticalSystemObject: TRUE
38 # Add users
40 dn: CN=Administrator,CN=Users,${DOMAINDN}
41 objectClass: user
42 description: Built-in account for administering the computer/domain
43 userAccountControl: 66048
44 objectSid: ${DOMAINSID}-500
45 adminCount: 1
46 accountExpires: 9223372036854775807
47 sAMAccountName: Administrator
48 userPassword:: ${ADMINPASS_B64}
49 isCriticalSystemObject: TRUE
51 dn: CN=Guest,CN=Users,${DOMAINDN}
52 objectClass: user
53 description: Built-in account for guest access to the computer/domain
54 userAccountControl: 66082
55 primaryGroupID: 514
56 objectSid: ${DOMAINSID}-501
57 sAMAccountName: Guest
58 isCriticalSystemObject: TRUE
60 dn: CN=krbtgt,CN=Users,${DOMAINDN}
61 objectClass: top
62 objectClass: person
63 objectClass: organizationalPerson
64 objectClass: user
65 description: Key Distribution Center Service Account
66 showInAdvancedViewOnly: TRUE
67 userAccountControl: 514
68 objectSid: ${DOMAINSID}-502
69 adminCount: 1
70 accountExpires: 9223372036854775807
71 sAMAccountName: krbtgt
72 servicePrincipalName: kadmin/changepw
73 userPassword:: ${KRBTGTPASS_B64}
74 isCriticalSystemObject: TRUE
76 # Add other groups
78 dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN}
79 objectClass: top
80 objectClass: group
81 description: Members of this group are Read-Only Domain Controllers in the enterprise
82 objectSid: ${DOMAINSID}-498
83 sAMAccountName: Enterprise Read-Only Domain Controllers
84 groupType: -2147483640
85 isCriticalSystemObject: TRUE
87 dn: CN=Domain Admins,CN=Users,${DOMAINDN}
88 objectClass: top
89 objectClass: group
90 description: Designated administrators of the domain
91 member: CN=Administrator,CN=Users,${DOMAINDN}
92 objectSid: ${DOMAINSID}-512
93 adminCount: 1
94 sAMAccountName: Domain Admins
95 isCriticalSystemObject: TRUE
97 dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
98 objectClass: top
99 objectClass: group
100 description: Members of this group are permitted to publish certificates to the Active Directory
101 objectSid: ${DOMAINSID}-517
102 sAMAccountName: Cert Publishers
103 groupType: -2147483644
104 isCriticalSystemObject: TRUE
106 dn: CN=Schema Admins,CN=Users,${DOMAINDN}
107 objectClass: top
108 objectClass: group
109 description: Designated administrators of the schema
110 member: CN=Administrator,CN=Users,${DOMAINDN}
111 objectSid: ${DOMAINSID}-518
112 adminCount: 1
113 sAMAccountName: Schema Admins
114 groupType: -2147483640
115 isCriticalSystemObject: TRUE
117 dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
118 objectClass: top
119 objectClass: group
120 description: Designated administrators of the enterprise
121 member: CN=Administrator,CN=Users,${DOMAINDN}
122 objectSid: ${DOMAINSID}-519
123 adminCount: 1
124 sAMAccountName: Enterprise Admins
125 groupType: -2147483640
126 isCriticalSystemObject: TRUE
128 dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
129 objectClass: top
130 objectClass: group
131 description: Members in this group can modify group policies for the domain
132 member: CN=Administrator,CN=Users,${DOMAINDN}
133 objectSid: ${DOMAINSID}-520
134 sAMAccountName: Group Policy Creator Owners
135 isCriticalSystemObject: TRUE
137 dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
138 objectClass: top
139 objectClass: group
140 description: Members of this group are Read-Only Domain Controllers in the domain
141 objectSid: ${DOMAINSID}-521
142 adminCount: 1
143 sAMAccountName: Read-Only Domain Controllers
144 isCriticalSystemObject: TRUE
146 dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
147 objectClass: top
148 objectClass: group
149 description: Servers in this group can access remote access properties of users
150 objectSid: ${DOMAINSID}-553
151 sAMAccountName: RAS and IAS Servers
152 groupType: -2147483644
153 isCriticalSystemObject: TRUE
155 dn: CN=Allowed RODC Password Replication Group,CN=Users,${DOMAINDN}
156 objectClass: top
157 objectClass: group
158 description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain.
159 objectSid: ${DOMAINSID}-571
160 sAMAccountName: Allowed RODC Password Replication Group
161 groupType: -2147483644
162 isCriticalSystemObject: TRUE
164 dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN}
165 objectClass: top
166 objectClass: group
167 description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain.
168 member: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
169 member: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
170 member: CN=Domain Admins,CN=Users,${DOMAINDN}
171 member: CN=Cert Publishers,CN=Users,${DOMAINDN}
172 member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
173 member: CN=Schema Admins,CN=Users,${DOMAINDN}
174 member: CN=Domain Controllers,CN=Users,${DOMAINDN}
175 member: CN=krbtgt,CN=Users,${DOMAINDN}
176 objectSid: ${DOMAINSID}-572
177 sAMAccountName: Denied RODC Password Replication Group
178 groupType: -2147483644
179 isCriticalSystemObject: TRUE
181 # NOTICE: Some other users and groups which rely on automatic SIDs are located
182 # in "provision_self_join_modify.ldif"
184 # Add foreign security principals
186 dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
187 objectClass: top
188 objectClass: foreignSecurityPrincipal
189 objectSid: S-1-5-4
191 dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
192 objectClass: top
193 objectClass: foreignSecurityPrincipal
194 objectSid: S-1-5-9
196 dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
197 objectClass: top
198 objectClass: foreignSecurityPrincipal
199 objectSid: S-1-5-11
201 dn: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
202 objectClass: top
203 objectClass: foreignSecurityPrincipal
204 objectSid: S-1-5-17
206 dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
207 objectClass: top
208 objectClass: foreignSecurityPrincipal
209 objectSid: S-1-5-20
211 # Add builtin objects
213 dn: CN=Administrators,CN=Builtin,${DOMAINDN}
214 objectClass: top
215 objectClass: group
216 description: Administrators have complete and unrestricted access to the computer/domain
217 member: CN=Domain Admins,CN=Users,${DOMAINDN}
218 member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
219 member: CN=Administrator,CN=Users,${DOMAINDN}
220 objectSid: S-1-5-32-544
221 adminCount: 1
222 sAMAccountName: Administrators
223 systemFlags: -1946157056
224 groupType: -2147483643
225 isCriticalSystemObject: TRUE
227 dn: CN=Users,CN=Builtin,${DOMAINDN}
228 objectClass: top
229 objectClass: group
230 description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
231 member: CN=Domain Users,CN=Users,${DOMAINDN}
232 member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
233 member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
234 objectSid: S-1-5-32-545
235 sAMAccountName: Users
236 systemFlags: -1946157056
237 groupType: -2147483643
238 isCriticalSystemObject: TRUE
240 dn: CN=Guests,CN=Builtin,${DOMAINDN}
241 objectClass: top
242 objectClass: group
243 description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
244 member: CN=Domain Guests,CN=Users,${DOMAINDN}
245 member: CN=Guest,CN=Users,${DOMAINDN}
246 objectSid: S-1-5-32-546
247 sAMAccountName: Guests
248 systemFlags: -1946157056
249 groupType: -2147483643
250 isCriticalSystemObject: TRUE
252 dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
253 objectClass: top
254 objectClass: group
255 description: Members can administer domain user and group accounts
256 objectSid: S-1-5-32-548
257 adminCount: 1
258 sAMAccountName: Account Operators
259 systemFlags: -1946157056
260 groupType: -2147483643
261 isCriticalSystemObject: TRUE
263 dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
264 objectClass: top
265 objectClass: group
266 description: Members can administer domain servers
267 objectSid: S-1-5-32-549
268 adminCount: 1
269 sAMAccountName: Server Operators
270 systemFlags: -1946157056
271 groupType: -2147483643
272 isCriticalSystemObject: TRUE
274 dn: CN=Print Operators,CN=Builtin,${DOMAINDN}
275 objectClass: top
276 objectClass: group
277 description: Members can administer domain printers
278 objectSid: S-1-5-32-550
279 adminCount: 1
280 sAMAccountName: Print Operators
281 systemFlags: -1946157056
282 groupType: -2147483643
283 isCriticalSystemObject: TRUE
285 dn: CN=Backup Operators,CN=Builtin,${DOMAINDN}
286 objectClass: top
287 objectClass: group
288 description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
289 objectSid: S-1-5-32-551
290 adminCount: 1
291 sAMAccountName: Backup Operators
292 systemFlags: -1946157056
293 groupType: -2147483643
294 isCriticalSystemObject: TRUE
296 dn: CN=Replicator,CN=Builtin,${DOMAINDN}
297 objectClass: top
298 objectClass: group
299 description: Supports file replication in a domain
300 objectSid: S-1-5-32-552
301 adminCount: 1
302 sAMAccountName: Replicator
303 systemFlags: -1946157056
304 groupType: -2147483643
305 isCriticalSystemObject: TRUE
307 dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
308 objectClass: top
309 objectClass: group
310 description: A backward compatibility group which allows read access on all users and groups in the domain
311 member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
312 objectSid: S-1-5-32-554
313 sAMAccountName: Pre-Windows 2000 Compatible Access
314 systemFlags: -1946157056
315 groupType: -2147483643
316 isCriticalSystemObject: TRUE
318 dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN}
319 objectClass: top
320 objectClass: group
321 description: Members in this group are granted the right to logon remotely
322 objectSid: S-1-5-32-555
323 sAMAccountName: Remote Desktop Users
324 systemFlags: -1946157056
325 groupType: -2147483643
326 isCriticalSystemObject: TRUE
328 dn: CN=Network Configuration Operators,CN=Builtin,${DOMAINDN}
329 objectClass: top
330 objectClass: group
331 description: Members in this group can have some administrative privileges to manage configuration of networking features
332 objectSid: S-1-5-32-556
333 sAMAccountName: Network Configuration Operators
334 systemFlags: -1946157056
335 groupType: -2147483643
336 isCriticalSystemObject: TRUE
338 dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
339 objectClass: top
340 objectClass: group
341 description: Members of this group can create incoming, one-way trusts to this forest
342 objectSid: S-1-5-32-557
343 sAMAccountName: Incoming Forest Trust Builders
344 systemFlags: -1946157056
345 groupType: -2147483643
346 isCriticalSystemObject: TRUE
348 dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
349 objectClass: top
350 objectClass: group
351 description: Members of this group have remote access to monitor this computer
352 objectSid: S-1-5-32-558
353 sAMAccountName: Performance Monitor Users
354 systemFlags: -1946157056
355 groupType: -2147483643
356 isCriticalSystemObject: TRUE
358 dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
359 objectClass: top
360 objectClass: group
361 description: Members of this group have remote access to schedule logging of performance counters on this computer
362 member: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
363 objectSid: S-1-5-32-559
364 sAMAccountName: Performance Log Users
365 systemFlags: -1946157056
366 groupType: -2147483643
367 isCriticalSystemObject: TRUE
369 dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
370 objectClass: top
371 objectClass: group
372 description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
373 member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
374 objectSid: S-1-5-32-560
375 sAMAccountName: Windows Authorization Access Group
376 systemFlags: -1946157056
377 groupType: -2147483643
378 isCriticalSystemObject: TRUE
380 dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
381 objectClass: top
382 objectClass: group
383 description: Terminal Server License Servers
384 objectSid: S-1-5-32-561
385 sAMAccountName: Terminal Server License Servers
386 systemFlags: -1946157056
387 groupType: -2147483643
388 isCriticalSystemObject: TRUE
390 dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
391 objectClass: top
392 objectClass: group
393 description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
394 objectSid: S-1-5-32-562
395 sAMAccountName: Distributed COM Users
396 systemFlags: -1946157056
397 groupType: -2147483643
398 isCriticalSystemObject: TRUE
400 dn: CN=IIS_IUSRS,CN=Builtin,${DOMAINDN}
401 objectClass: top
402 objectClass: group
403 description: Integrated group used by the IIS
404 member: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
405 objectSid: S-1-5-32-568
406 sAMAccountName: IIS_IUSRS
407 systemFlags: -1946157056
408 groupType: -2147483643
409 isCriticalSystemObject: TRUE
411 dn: CN=Cryptographic Operators,CN=Builtin,${DOMAINDN}
412 objectClass: top
413 objectClass: group
414 description: Members are authorized to perform cryptographic operations.
415 objectSid: S-1-5-32-569
416 sAMAccountName: Cryptographic Operators
417 systemFlags: -1946157056
418 groupType: -2147483643
419 isCriticalSystemObject: TRUE
421 dn: CN=Event Log Readers,CN=Builtin,${DOMAINDN}
422 objectClass: top
423 objectClass: group
424 description: Members of this group can read event logs from local machine.
425 objectSid: S-1-5-32-573
426 sAMAccountName: Event Log Readers
427 systemFlags: -1946157056
428 groupType: -2147483643
429 isCriticalSystemObject: TRUE
431 dn: CN=Certificate Service DCOM Access,CN=Builtin,${DOMAINDN}
432 objectClass: top
433 objectClass: group
434 description: Members of this group are allowed to connect to Certification Authorities in the enterprise.
435 objectSid: S-1-5-32-574
436 sAMAccountName: Certificate Service DCOM Access
437 systemFlags: -1946157056
438 groupType: -2147483643
439 isCriticalSystemObject: TRUE
441 # Add well known security principals
443 dn: CN=WellKnown Security Principals,${CONFIGDN}
444 objectClass: top
445 objectClass: container
446 systemFlags: -2147483648
448 dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
449 objectClass: top
450 objectClass: foreignSecurityPrincipal
451 objectSid: S-1-5-7
453 dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN}
454 objectClass: top
455 objectClass: foreignSecurityPrincipal
456 objectSid: S-1-5-11
458 dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN}
459 objectClass: top
460 objectClass: foreignSecurityPrincipal
461 objectSid: S-1-5-3
463 dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN}
464 objectClass: top
465 objectClass: foreignSecurityPrincipal
466 objectSid: S-1-3-1
468 dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN}
469 objectClass: top
470 objectClass: foreignSecurityPrincipal
471 objectSid: S-1-3-0
473 dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN}
474 objectClass: top
475 objectClass: foreignSecurityPrincipal
476 objectSid: S-1-5-1
478 dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN}
479 objectClass: top
480 objectClass: foreignSecurityPrincipal
481 objectSid: S-1-5-64-21
483 dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN}
484 objectClass: top
485 objectClass: foreignSecurityPrincipal
486 objectSid: S-1-5-9
488 dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN}
489 objectClass: top
490 objectClass: foreignSecurityPrincipal
491 objectSid: S-1-1-0
493 dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN}
494 objectClass: top
495 objectClass: foreignSecurityPrincipal
496 objectSid: S-1-5-4
498 dn: CN=IUSR,CN=WellKnown Security Principals,${CONFIGDN}
499 objectClass: top
500 objectClass: foreignSecurityPrincipal
501 objectSid: S-1-5-17
503 dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
504 objectClass: top
505 objectClass: foreignSecurityPrincipal
506 objectSid: S-1-5-19
508 dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN}
509 objectClass: top
510 objectClass: foreignSecurityPrincipal
511 objectSid: S-1-5-2
513 dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN}
514 objectClass: top
515 objectClass: foreignSecurityPrincipal
516 objectSid: S-1-5-20
518 dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN}
519 objectClass: top
520 objectClass: foreignSecurityPrincipal
521 objectSid: S-1-5-64-10
523 dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN}
524 objectClass: top
525 objectClass: foreignSecurityPrincipal
526 objectSid: S-1-5-1000
528 dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN}
529 objectClass: top
530 objectClass: foreignSecurityPrincipal
531 objectSid: S-1-5-8
533 dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN}
534 objectClass: top
535 objectClass: foreignSecurityPrincipal
536 objectSid: S-1-5-14
538 dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN}
539 objectClass: top
540 objectClass: foreignSecurityPrincipal
541 objectSid: S-1-5-12
543 dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN}
544 objectClass: top
545 objectClass: foreignSecurityPrincipal
546 objectSid: S-1-5-64-14
548 dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN}
549 objectClass: top
550 objectClass: foreignSecurityPrincipal
551 objectSid: S-1-5-10
553 dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN}
554 objectClass: top
555 objectClass: foreignSecurityPrincipal
556 objectSid: S-1-5-6
558 dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN}
559 objectClass: top
560 objectClass: foreignSecurityPrincipal
561 objectSid: S-1-5-13
563 dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN}
564 objectClass: top
565 objectClass: foreignSecurityPrincipal
566 objectSid: S-1-5-15
568 dn: CN=Well-Known-Security-Id-System,CN=WellKnown Security Principals,${CONFIGDN}
569 objectClass: top
570 objectClass: foreignSecurityPrincipal
571 objectSid: S-1-5-18