source: branches/samba-3.5.x/source4/setup/provision_users.ldif

Last change on this file was 414, checked in by Herwig Bauernfeind, 16 years ago

Samba 3.5.0: Initial import
File size: 16.3 KB
Line 
1# Add default primary groups (domain users, domain guests) - needed for
2# the users to find valid primary groups (samldb module)
3
4dn: CN=Domain Users,CN=Users,${DOMAINDN}
5objectClass: top
6objectClass: group
7description: All domain users
8objectSid: ${DOMAINSID}-513
9sAMAccountName: Domain Users
10isCriticalSystemObject: TRUE
11
12dn: CN=Domain Guests,CN=Users,${DOMAINDN}
13objectClass: top
14objectClass: group
15description: All domain guests
16objectSid: ${DOMAINSID}-514
17sAMAccountName: Domain Guests
18isCriticalSystemObject: TRUE
19
20# Add users
21
22dn: CN=Administrator,CN=Users,${DOMAINDN}
23objectClass: user
24description: Built-in account for administering the computer/domain
25userAccountControl: 66048
26objectSid: ${DOMAINSID}-500
27adminCount: 1
28accountExpires: 9223372036854775807
29sAMAccountName: Administrator
30userPassword:: ${ADMINPASS_B64}
31isCriticalSystemObject: TRUE
32
33dn: CN=Guest,CN=Users,${DOMAINDN}
34objectClass: user
35description: Built-in account for guest access to the computer/domain
36userAccountControl: 66082
37primaryGroupID: 514
38objectSid: ${DOMAINSID}-501
39sAMAccountName: Guest
40isCriticalSystemObject: TRUE
41
42dn: CN=krbtgt,CN=Users,${DOMAINDN}
43objectClass: top
44objectClass: person
45objectClass: organizationalPerson
46objectClass: user
47description: Key Distribution Center Service Account
48showInAdvancedViewOnly: TRUE
49userAccountControl: 514
50objectSid: ${DOMAINSID}-502
51adminCount: 1
52accountExpires: 9223372036854775807
53sAMAccountName: krbtgt
54servicePrincipalName: kadmin/changepw
55userPassword:: ${KRBTGTPASS_B64}
56isCriticalSystemObject: TRUE
57
58# Add other groups
59
60dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
61objectClass: top
62objectClass: group
63description: Designated administrators of the enterprise
64member: CN=Administrator,CN=Users,${DOMAINDN}
65objectSid: ${DOMAINSID}-519
66adminCount: 1
67sAMAccountName: Enterprise Admins
68isCriticalSystemObject: TRUE
69
70dn: CN=Domain Computers,CN=Users,${DOMAINDN}
71objectClass: top
72objectClass: group
73description: All workstations and servers joined to the domain
74objectSid: ${DOMAINSID}-515
75sAMAccountName: Domain Computers
76isCriticalSystemObject: TRUE
77
78dn: CN=Domain Controllers,CN=Users,${DOMAINDN}
79objectClass: top
80objectClass: group
81description: All domain controllers in the domain
82objectSid: ${DOMAINSID}-516
83adminCount: 1
84sAMAccountName: Domain Controllers
85isCriticalSystemObject: TRUE
86
87dn: CN=Schema Admins,CN=Users,${DOMAINDN}
88objectClass: top
89objectClass: group
90description: Designated administrators of the schema
91member: CN=Administrator,CN=Users,${DOMAINDN}
92objectSid: ${DOMAINSID}-518
93adminCount: 1
94sAMAccountName: Schema Admins
95isCriticalSystemObject: TRUE
96
97dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
98objectClass: top
99objectClass: group
100description: Members of this group are permitted to publish certificates to the Active Directory
101groupType: -2147483644
102objectSid: ${DOMAINSID}-517
103sAMAccountName: Cert Publishers
104isCriticalSystemObject: TRUE
105
106dn: CN=Domain Admins,CN=Users,${DOMAINDN}
107objectClass: top
108objectClass: group
109description: Designated administrators of the domain
110member: CN=Administrator,CN=Users,${DOMAINDN}
111objectSid: ${DOMAINSID}-512
112adminCount: 1
113sAMAccountName: Domain Admins
114isCriticalSystemObject: TRUE
115
116dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
117objectClass: top
118objectClass: group
119description: Members in this group can modify group policy for the domain
120member: CN=Administrator,CN=Users,${DOMAINDN}
121objectSid: ${DOMAINSID}-520
122sAMAccountName: Group Policy Creator Owners
123isCriticalSystemObject: TRUE
124
125dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
126objectClass: top
127objectClass: group
128description: Servers in this group can access remote access properties of users
129objectSid: ${DOMAINSID}-553
130sAMAccountName: RAS and IAS Servers
131groupType: -2147483644
132isCriticalSystemObject: TRUE
133
134dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN}
135objectClass: top
136objectClass: group
137description: read-only domain controllers
138objectSid: ${DOMAINSID}-521
139sAMAccountName: Read-Only Domain Controllers
140groupType: -2147483644
141isCriticalSystemObject: TRUE
142
143dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN}
144objectClass: top
145objectClass: group
146description: enterprise read-only domain controllers
147objectSid: ${DOMAINSID}-498
148sAMAccountName: Enterprise Read-Only Domain Controllers
149groupType: -2147483644
150isCriticalSystemObject: TRUE
151
152dn: CN=Certificate Service DCOM Access,CN=Users,${DOMAINDN}
153objectClass: top
154objectClass: group
155description: Certificate Service DCOM Access
156objectSid: ${DOMAINSID}-574
157sAMAccountName: Certificate Service DCOM Access
158groupType: -2147483644
159isCriticalSystemObject: TRUE
160
161dn: CN=Cryptographic Operators,CN=Users,${DOMAINDN}
162objectClass: top
163objectClass: group
164description: Cryptographic Operators
165objectSid: ${DOMAINSID}-569
166sAMAccountName: Cryptographic Operators
167groupType: -2147483644
168isCriticalSystemObject: TRUE
169
170dn: CN=Event Log Readers,CN=Users,${DOMAINDN}
171objectClass: top
172objectClass: group
173description: Event Log Readers
174objectSid: ${DOMAINSID}-573
175sAMAccountName: Event Log Readers
176groupType: -2147483644
177isCriticalSystemObject: TRUE
178
179# Add foreign security principals
180
181dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
182objectClass: top
183objectClass: foreignSecurityPrincipal
184objectSid: S-1-5-4
185
186dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
187objectClass: top
188objectClass: foreignSecurityPrincipal
189objectSid: S-1-5-9
190
191dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
192objectClass: top
193objectClass: foreignSecurityPrincipal
194objectSid: S-1-5-11
195
196dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
197objectClass: top
198objectClass: foreignSecurityPrincipal
199objectSid: S-1-5-20
200
201# Add builtin objects
202
203dn: CN=Administrators,CN=Builtin,${DOMAINDN}
204objectClass: top
205objectClass: group
206description: Administrators have complete and unrestricted access to the computer/domain
207member: CN=Domain Admins,CN=Users,${DOMAINDN}
208member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
209member: CN=Administrator,CN=Users,${DOMAINDN}
210objectSid: S-1-5-32-544
211adminCount: 1
212sAMAccountName: Administrators
213systemFlags: -1946157056
214groupType: -2147483643
215privilege: SeSecurityPrivilege
216privilege: SeBackupPrivilege
217privilege: SeRestorePrivilege
218privilege: SeSystemtimePrivilege
219privilege: SeShutdownPrivilege
220privilege: SeRemoteShutdownPrivilege
221privilege: SeTakeOwnershipPrivilege
222privilege: SeDebugPrivilege
223privilege: SeSystemEnvironmentPrivilege
224privilege: SeSystemProfilePrivilege
225privilege: SeProfileSingleProcessPrivilege
226privilege: SeIncreaseBasePriorityPrivilege
227privilege: SeLoadDriverPrivilege
228privilege: SeCreatePagefilePrivilege
229privilege: SeIncreaseQuotaPrivilege
230privilege: SeChangeNotifyPrivilege
231privilege: SeUndockPrivilege
232privilege: SeManageVolumePrivilege
233privilege: SeImpersonatePrivilege
234privilege: SeCreateGlobalPrivilege
235privilege: SeEnableDelegationPrivilege
236privilege: SeInteractiveLogonRight
237privilege: SeNetworkLogonRight
238privilege: SeRemoteInteractiveLogonRight
239isCriticalSystemObject: TRUE
240
241dn: CN=Users,CN=Builtin,${DOMAINDN}
242objectClass: top
243objectClass: group
244description: Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications
245member: CN=Domain Users,CN=Users,${DOMAINDN}
246member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
247member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
248objectSid: S-1-5-32-545
249sAMAccountName: Users
250systemFlags: -1946157056
251groupType: -2147483643
252isCriticalSystemObject: TRUE
253
254dn: CN=Guests,CN=Builtin,${DOMAINDN}
255objectClass: top
256objectClass: group
257description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
258member: CN=Domain Guests,CN=Users,${DOMAINDN}
259member: CN=Guest,CN=Users,${DOMAINDN}
260objectSid: S-1-5-32-546
261sAMAccountName: Guests
262systemFlags: -1946157056
263groupType: -2147483643
264isCriticalSystemObject: TRUE
265
266dn: CN=Print Operators,CN=Builtin,${DOMAINDN}
267objectClass: top
268objectClass: group
269description: Members can administer domain printers
270objectSid: S-1-5-32-550
271adminCount: 1
272sAMAccountName: Print Operators
273systemFlags: -1946157056
274groupType: -2147483643
275privilege: SeLoadDriverPrivilege
276privilege: SeShutdownPrivilege
277privilege: SeInteractiveLogonRight
278isCriticalSystemObject: TRUE
279
280dn: CN=Backup Operators,CN=Builtin,${DOMAINDN}
281objectClass: top
282objectClass: group
283description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
284objectSid: S-1-5-32-551
285adminCount: 1
286sAMAccountName: Backup Operators
287systemFlags: -1946157056
288groupType: -2147483643
289privilege: SeBackupPrivilege
290privilege: SeRestorePrivilege
291privilege: SeShutdownPrivilege
292privilege: SeInteractiveLogonRight
293isCriticalSystemObject: TRUE
294
295dn: CN=Replicator,CN=Builtin,${DOMAINDN}
296objectClass: top
297objectClass: group
298description: Supports file replication in a domain
299objectSid: S-1-5-32-552
300adminCount: 1
301sAMAccountName: Replicator
302systemFlags: -1946157056
303groupType: -2147483643
304isCriticalSystemObject: TRUE
305
306dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN}
307objectClass: top
308objectClass: group
309description: Members in this group are granted the right to logon remotely
310objectSid: S-1-5-32-555
311sAMAccountName: Remote Desktop Users
312systemFlags: -1946157056
313groupType: -2147483643
314isCriticalSystemObject: TRUE
315
316dn: CN=Network Configuration Operators,CN=Builtin,${DOMAINDN}
317objectClass: top
318objectClass: group
319description: Members in this group can have some administrative privileges to manage configuration of networking features
320objectSid: S-1-5-32-556
321sAMAccountName: Network Configuration Operators
322systemFlags: -1946157056
323groupType: -2147483643
324isCriticalSystemObject: TRUE
325
326dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
327objectClass: top
328objectClass: group
329description: Members of this group have remote access to monitor this computer
330objectSid: S-1-5-32-558
331sAMAccountName: Performance Monitor Users
332systemFlags: -1946157056
333groupType: -2147483643
334isCriticalSystemObject: TRUE
335
336dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
337objectClass: top
338objectClass: group
339description: Members of this group have remote access to schedule logging of performance counters on this computer
340member: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN}
341objectSid: S-1-5-32-559
342sAMAccountName: Performance Log Users
343systemFlags: -1946157056
344groupType: -2147483643
345isCriticalSystemObject: TRUE
346
347dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
348objectClass: top
349objectClass: group
350description: Members can administer domain servers
351objectSid: S-1-5-32-549
352adminCount: 1
353sAMAccountName: Server Operators
354systemFlags: -1946157056
355groupType: -2147483643
356privilege: SeBackupPrivilege
357privilege: SeSystemtimePrivilege
358privilege: SeRemoteShutdownPrivilege
359privilege: SeRestorePrivilege
360privilege: SeShutdownPrivilege
361privilege: SeInteractiveLogonRight
362isCriticalSystemObject: TRUE
363
364dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
365objectClass: top
366objectClass: group
367description: Members can administer domain user and group accounts
368objectSid: S-1-5-32-548
369adminCount: 1
370sAMAccountName: Account Operators
371systemFlags: -1946157056
372groupType: -2147483643
373privilege: SeInteractiveLogonRight
374isCriticalSystemObject: TRUE
375
376dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
377objectClass: top
378objectClass: group
379description: A backward compatibility group which allows read access on all users and groups in the domain
380member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
381objectSid: S-1-5-32-554
382sAMAccountName: Pre-Windows 2000 Compatible Access
383systemFlags: -1946157056
384groupType: -2147483643
385privilege: SeRemoteInteractiveLogonRight
386privilege: SeChangeNotifyPrivilege
387isCriticalSystemObject: TRUE
388
389dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
390objectClass: top
391objectClass: group
392description: Members of this group can create incoming, one-way trusts to this forest
393objectSid: S-1-5-32-557
394sAMAccountName: Incoming Forest Trust Builders
395systemFlags: -1946157056
396groupType: -2147483643
397isCriticalSystemObject: TRUE
398
399dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
400objectClass: top
401objectClass: group
402description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
403member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
404objectSid: S-1-5-32-560
405sAMAccountName: Windows Authorization Access Group
406systemFlags: -1946157056
407groupType: -2147483643
408isCriticalSystemObject: TRUE
409
410dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
411objectClass: top
412objectClass: group
413description: Terminal Server License Servers
414objectSid: S-1-5-32-561
415sAMAccountName: Terminal Server License Servers
416systemFlags: -1946157056
417groupType: -2147483643
418isCriticalSystemObject: TRUE
419
420dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
421objectClass: top
422objectClass: group
423description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
424objectSid: S-1-5-32-562
425sAMAccountName: Distributed COM Users
426systemFlags: -1946157056
427groupType: -2147483643
428isCriticalSystemObject: TRUE
429
430# Add well known security principals
431
432dn: CN=WellKnown Security Principals,${CONFIGDN}
433objectClass: top
434objectClass: container
435systemFlags: -2147483648
436
437dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
438objectClass: top
439objectClass: foreignSecurityPrincipal
440objectSid: S-1-5-7
441
442dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN}
443objectClass: top
444objectClass: foreignSecurityPrincipal
445objectSid: S-1-5-11
446
447dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN}
448objectClass: top
449objectClass: foreignSecurityPrincipal
450objectSid: S-1-5-3
451
452dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN}
453objectClass: top
454objectClass: foreignSecurityPrincipal
455objectSid: S-1-3-1
456
457dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN}
458objectClass: top
459objectClass: foreignSecurityPrincipal
460objectSid: S-1-3-0
461
462dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN}
463objectClass: top
464objectClass: foreignSecurityPrincipal
465objectSid: S-1-5-1
466
467dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN}
468objectClass: top
469objectClass: foreignSecurityPrincipal
470objectSid: S-1-5-64-21
471
472dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN}
473objectClass: top
474objectClass: foreignSecurityPrincipal
475objectSid: S-1-5-9
476
477dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN}
478objectClass: top
479objectClass: foreignSecurityPrincipal
480objectSid: S-1-1-0
481
482dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN}
483objectClass: top
484objectClass: foreignSecurityPrincipal
485objectSid: S-1-5-4
486
487dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
488objectClass: top
489objectClass: foreignSecurityPrincipal
490objectSid: S-1-5-19
491
492dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN}
493objectClass: top
494objectClass: foreignSecurityPrincipal
495objectSid: S-1-5-2
496
497dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN}
498objectClass: top
499objectClass: foreignSecurityPrincipal
500objectSid: S-1-5-20
501
502dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN}
503objectClass: top
504objectClass: foreignSecurityPrincipal
505objectSid: S-1-5-64-10
506
507dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN}
508objectClass: top
509objectClass: foreignSecurityPrincipal
510objectSid: S-1-5-1000
511
512dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN}
513objectClass: top
514objectClass: foreignSecurityPrincipal
515objectSid: S-1-5-8
516
517dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN}
518objectClass: top
519objectClass: foreignSecurityPrincipal
520objectSid: S-1-5-14
521
522dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN}
523objectClass: top
524objectClass: foreignSecurityPrincipal
525objectSid: S-1-5-12
526
527dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN}
528objectClass: top
529objectClass: foreignSecurityPrincipal
530objectSid: S-1-5-64-14
531
532dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN}
533objectClass: top
534objectClass: foreignSecurityPrincipal
535objectSid: S-1-5-10
536
537dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN}
538objectClass: top
539objectClass: foreignSecurityPrincipal
540objectSid: S-1-5-6
541
542dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN}
543objectClass: top
544objectClass: foreignSecurityPrincipal
545objectSid: S-1-5-13
546
547dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN}
548objectClass: top
549objectClass: foreignSecurityPrincipal
550objectSid: S-1-5-15
551
552dn: CN=Well-Known-Security-Id-System,CN=WellKnown Security Principals,${CONFIGDN}
553objectClass: top
554objectClass: foreignSecurityPrincipal
555objectSid: S-1-5-18
Note: See TracBrowser for help on using the repository browser.