source: trunk/server/source4/setup/provision_users.ldif

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago

Samba Server: updated trunk to 3.6.0
File size: 17.8 KB
Line 
1# Add default primary groups (domain users, domain guests, domain computers &
2# domain controllers) - needed for the users to find valid primary groups
3# (samldb module)
4
5dn: CN=Domain Users,CN=Users,${DOMAINDN}
6objectClass: top
7objectClass: group
8description: All domain users
9objectSid: ${DOMAINSID}-513
10sAMAccountName: Domain Users
11isCriticalSystemObject: TRUE
12
13dn: CN=Domain Guests,CN=Users,${DOMAINDN}
14objectClass: top
15objectClass: group
16description: All domain guests
17objectSid: ${DOMAINSID}-514
18sAMAccountName: Domain Guests
19isCriticalSystemObject: TRUE
20
21dn: CN=Domain Computers,CN=Users,${DOMAINDN}
22objectClass: top
23objectClass: group
24description: All workstations and servers joined to the domain
25objectSid: ${DOMAINSID}-515
26sAMAccountName: Domain Computers
27isCriticalSystemObject: TRUE
28
29dn: CN=Domain Controllers,CN=Users,${DOMAINDN}
30objectClass: top
31objectClass: group
32description: All domain controllers in the domain
33objectSid: ${DOMAINSID}-516
34adminCount: 1
35sAMAccountName: Domain Controllers
36isCriticalSystemObject: TRUE
37
38# Add users
39
40dn: CN=Administrator,CN=Users,${DOMAINDN}
41objectClass: user
42description: Built-in account for administering the computer/domain
43userAccountControl: 512
44objectSid: ${DOMAINSID}-500
45adminCount: 1
46accountExpires: 9223372036854775807
47sAMAccountName: Administrator
48clearTextPassword:: ${ADMINPASS_B64}
49isCriticalSystemObject: TRUE
50
51dn: CN=Guest,CN=Users,${DOMAINDN}
52objectClass: user
53description: Built-in account for guest access to the computer/domain
54userAccountControl: 66082
55primaryGroupID: 514
56objectSid: ${DOMAINSID}-501
57sAMAccountName: Guest
58isCriticalSystemObject: TRUE
59
60dn: CN=krbtgt,CN=Users,${DOMAINDN}
61objectClass: top
62objectClass: person
63objectClass: organizationalPerson
64objectClass: user
65description: Key Distribution Center Service Account
66showInAdvancedViewOnly: TRUE
67userAccountControl: 514
68objectSid: ${DOMAINSID}-502
69adminCount: 1
70accountExpires: 9223372036854775807
71sAMAccountName: krbtgt
72servicePrincipalName: kadmin/changepw
73clearTextPassword:: ${KRBTGTPASS_B64}
74isCriticalSystemObject: TRUE
75
76# Add other groups
77
78dn: CN=Enterprise Read-only Domain Controllers,CN=Users,${DOMAINDN}
79objectClass: top
80objectClass: group
81description: Members of this group are Read-Only Domain Controllers in the enterprise
82objectSid: ${DOMAINSID}-498
83sAMAccountName: Enterprise Read-Only Domain Controllers
84groupType: -2147483640
85isCriticalSystemObject: TRUE
86
87dn: CN=Domain Admins,CN=Users,${DOMAINDN}
88objectClass: top
89objectClass: group
90description: Designated administrators of the domain
91member: CN=Administrator,CN=Users,${DOMAINDN}
92objectSid: ${DOMAINSID}-512
93adminCount: 1
94sAMAccountName: Domain Admins
95isCriticalSystemObject: TRUE
96
97dn: CN=Cert Publishers,CN=Users,${DOMAINDN}
98objectClass: top
99objectClass: group
100description: Members of this group are permitted to publish certificates to the directory
101objectSid: ${DOMAINSID}-517
102sAMAccountName: Cert Publishers
103groupType: -2147483644
104isCriticalSystemObject: TRUE
105
106dn: CN=Schema Admins,CN=Users,${DOMAINDN}
107objectClass: top
108objectClass: group
109description: Designated administrators of the schema
110member: CN=Administrator,CN=Users,${DOMAINDN}
111objectSid: ${DOMAINSID}-518
112adminCount: 1
113sAMAccountName: Schema Admins
114groupType: -2147483640
115isCriticalSystemObject: TRUE
116
117dn: CN=Enterprise Admins,CN=Users,${DOMAINDN}
118objectClass: top
119objectClass: group
120description: Designated administrators of the enterprise
121member: CN=Administrator,CN=Users,${DOMAINDN}
122objectSid: ${DOMAINSID}-519
123adminCount: 1
124sAMAccountName: Enterprise Admins
125groupType: -2147483640
126isCriticalSystemObject: TRUE
127
128dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
129objectClass: top
130objectClass: group
131description: Members in this group can modify group policy for the domain
132member: CN=Administrator,CN=Users,${DOMAINDN}
133objectSid: ${DOMAINSID}-520
134sAMAccountName: Group Policy Creator Owners
135isCriticalSystemObject: TRUE
136
137dn: CN=Read-only Domain Controllers,CN=Users,${DOMAINDN}
138objectClass: top
139objectClass: group
140description: Members of this group are Read-Only Domain Controllers in the domain
141objectSid: ${DOMAINSID}-521
142adminCount: 1
143sAMAccountName: Read-Only Domain Controllers
144isCriticalSystemObject: TRUE
145
146dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN}
147objectClass: top
148objectClass: group
149description: Servers in this group can access remote access properties of users
150objectSid: ${DOMAINSID}-553
151sAMAccountName: RAS and IAS Servers
152groupType: -2147483644
153isCriticalSystemObject: TRUE
154
155dn: CN=Allowed RODC Password Replication Group,CN=Users,${DOMAINDN}
156objectClass: top
157objectClass: group
158description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain
159objectSid: ${DOMAINSID}-571
160sAMAccountName: Allowed RODC Password Replication Group
161groupType: -2147483644
162isCriticalSystemObject: TRUE
163
164dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN}
165objectClass: top
166objectClass: group
167description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
168member: CN=Read-only Domain Controllers,CN=Users,${DOMAINDN}
169member: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN}
170member: CN=Domain Admins,CN=Users,${DOMAINDN}
171member: CN=Cert Publishers,CN=Users,${DOMAINDN}
172member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
173member: CN=Schema Admins,CN=Users,${DOMAINDN}
174member: CN=Domain Controllers,CN=Users,${DOMAINDN}
175member: CN=krbtgt,CN=Users,${DOMAINDN}
176objectSid: ${DOMAINSID}-572
177sAMAccountName: Denied RODC Password Replication Group
178groupType: -2147483644
179isCriticalSystemObject: TRUE
180
181# NOTICE: Some other users and groups which rely on automatic SIDs are located
182# in "provision_self_join_modify.ldif"
183
184# Add foreign security principals
185
186dn: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
187objectClass: top
188objectClass: foreignSecurityPrincipal
189objectSid: S-1-5-4
190
191dn: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
192objectClass: top
193objectClass: foreignSecurityPrincipal
194objectSid: S-1-5-9
195
196dn: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
197objectClass: top
198objectClass: foreignSecurityPrincipal
199objectSid: S-1-5-11
200
201dn: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
202objectClass: top
203objectClass: foreignSecurityPrincipal
204objectSid: S-1-5-17
205
206# Add builtin objects
207
208dn: CN=Administrators,CN=Builtin,${DOMAINDN}
209objectClass: top
210objectClass: group
211description: Administrators have complete and unrestricted access to the computer/domain
212member: CN=Domain Admins,CN=Users,${DOMAINDN}
213member: CN=Enterprise Admins,CN=Users,${DOMAINDN}
214member: CN=Administrator,CN=Users,${DOMAINDN}
215objectSid: S-1-5-32-544
216adminCount: 1
217sAMAccountName: Administrators
218systemFlags: -1946157056
219groupType: -2147483643
220isCriticalSystemObject: TRUE
221
222dn: CN=Users,CN=Builtin,${DOMAINDN}
223objectClass: top
224objectClass: group
225description: Users are prevented from making accidental or intentional system-wide changes and can run most applications
226member: CN=Domain Users,CN=Users,${DOMAINDN}
227member: CN=S-1-5-4,CN=ForeignSecurityPrincipals,${DOMAINDN}
228member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
229objectSid: S-1-5-32-545
230sAMAccountName: Users
231systemFlags: -1946157056
232groupType: -2147483643
233isCriticalSystemObject: TRUE
234
235dn: CN=Guests,CN=Builtin,${DOMAINDN}
236objectClass: top
237objectClass: group
238description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
239member: CN=Domain Guests,CN=Users,${DOMAINDN}
240member: CN=Guest,CN=Users,${DOMAINDN}
241objectSid: S-1-5-32-546
242sAMAccountName: Guests
243systemFlags: -1946157056
244groupType: -2147483643
245isCriticalSystemObject: TRUE
246
247dn: CN=Account Operators,CN=Builtin,${DOMAINDN}
248objectClass: top
249objectClass: group
250description: Members can administer domain user and group accounts
251objectSid: S-1-5-32-548
252adminCount: 1
253sAMAccountName: Account Operators
254systemFlags: -1946157056
255groupType: -2147483643
256isCriticalSystemObject: TRUE
257
258dn: CN=Server Operators,CN=Builtin,${DOMAINDN}
259objectClass: top
260objectClass: group
261description: Members can administer domain servers
262objectSid: S-1-5-32-549
263adminCount: 1
264sAMAccountName: Server Operators
265systemFlags: -1946157056
266groupType: -2147483643
267isCriticalSystemObject: TRUE
268
269dn: CN=Print Operators,CN=Builtin,${DOMAINDN}
270objectClass: top
271objectClass: group
272description: Members can administer domain printers
273objectSid: S-1-5-32-550
274adminCount: 1
275sAMAccountName: Print Operators
276systemFlags: -1946157056
277groupType: -2147483643
278isCriticalSystemObject: TRUE
279
280dn: CN=Backup Operators,CN=Builtin,${DOMAINDN}
281objectClass: top
282objectClass: group
283description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
284objectSid: S-1-5-32-551
285adminCount: 1
286sAMAccountName: Backup Operators
287systemFlags: -1946157056
288groupType: -2147483643
289isCriticalSystemObject: TRUE
290
291dn: CN=Replicator,CN=Builtin,${DOMAINDN}
292objectClass: top
293objectClass: group
294description: Supports file replication in a domain
295objectSid: S-1-5-32-552
296adminCount: 1
297sAMAccountName: Replicator
298systemFlags: -1946157056
299groupType: -2147483643
300isCriticalSystemObject: TRUE
301
302dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
303objectClass: top
304objectClass: group
305description: A backward compatibility group which allows read access on all users and groups in the domain
306member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN}
307objectSid: S-1-5-32-554
308sAMAccountName: Pre-Windows 2000 Compatible Access
309systemFlags: -1946157056
310groupType: -2147483643
311isCriticalSystemObject: TRUE
312
313dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN}
314objectClass: top
315objectClass: group
316description: Members in this group are granted the right to logon remotely
317objectSid: S-1-5-32-555
318sAMAccountName: Remote Desktop Users
319systemFlags: -1946157056
320groupType: -2147483643
321isCriticalSystemObject: TRUE
322
323dn: CN=Network Configuration Operators,CN=Builtin,${DOMAINDN}
324objectClass: top
325objectClass: group
326description: Members in this group can have some administrative privileges to manage configuration of networking features
327objectSid: S-1-5-32-556
328sAMAccountName: Network Configuration Operators
329systemFlags: -1946157056
330groupType: -2147483643
331isCriticalSystemObject: TRUE
332
333dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
334objectClass: top
335objectClass: group
336description: Members of this group can create incoming, one-way trusts to this forest
337objectSid: S-1-5-32-557
338sAMAccountName: Incoming Forest Trust Builders
339systemFlags: -1946157056
340groupType: -2147483643
341isCriticalSystemObject: TRUE
342
343dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN}
344objectClass: top
345objectClass: group
346description: Members of this group can access performance counter data locally and remotely
347objectSid: S-1-5-32-558
348sAMAccountName: Performance Monitor Users
349systemFlags: -1946157056
350groupType: -2147483643
351isCriticalSystemObject: TRUE
352
353dn: CN=Performance Log Users,CN=Builtin,${DOMAINDN}
354objectClass: top
355objectClass: group
356description: Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer
357objectSid: S-1-5-32-559
358sAMAccountName: Performance Log Users
359systemFlags: -1946157056
360groupType: -2147483643
361isCriticalSystemObject: TRUE
362
363dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
364objectClass: top
365objectClass: group
366description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
367member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN}
368objectSid: S-1-5-32-560
369sAMAccountName: Windows Authorization Access Group
370systemFlags: -1946157056
371groupType: -2147483643
372isCriticalSystemObject: TRUE
373
374dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
375objectClass: top
376objectClass: group
377description: Members of this group can update user accounts in Active Directory with information about license issuance, for the purpose of tracking and reporting TS Per User CAL usage
378objectSid: S-1-5-32-561
379sAMAccountName: Terminal Server License Servers
380systemFlags: -1946157056
381groupType: -2147483643
382isCriticalSystemObject: TRUE
383
384dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
385objectClass: top
386objectClass: group
387description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
388objectSid: S-1-5-32-562
389sAMAccountName: Distributed COM Users
390systemFlags: -1946157056
391groupType: -2147483643
392isCriticalSystemObject: TRUE
393
394dn: CN=IIS_IUSRS,CN=Builtin,${DOMAINDN}
395objectClass: top
396objectClass: group
397description: Built-in group used by Internet Information Services.
398member: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN}
399objectSid: S-1-5-32-568
400sAMAccountName: IIS_IUSRS
401systemFlags: -1946157056
402groupType: -2147483643
403isCriticalSystemObject: TRUE
404
405dn: CN=Cryptographic Operators,CN=Builtin,${DOMAINDN}
406objectClass: top
407objectClass: group
408description: Members are authorized to perform cryptographic operations.
409objectSid: S-1-5-32-569
410sAMAccountName: Cryptographic Operators
411systemFlags: -1946157056
412groupType: -2147483643
413isCriticalSystemObject: TRUE
414
415dn: CN=Event Log Readers,CN=Builtin,${DOMAINDN}
416objectClass: top
417objectClass: group
418description: Members of this group can read event logs from local machine
419objectSid: S-1-5-32-573
420sAMAccountName: Event Log Readers
421systemFlags: -1946157056
422groupType: -2147483643
423isCriticalSystemObject: TRUE
424
425dn: CN=Certificate Service DCOM Access,CN=Builtin,${DOMAINDN}
426objectClass: top
427objectClass: group
428description: Members of this group are allowed to connect to Certification Authorities in the enterprise
429objectSid: S-1-5-32-574
430sAMAccountName: Certificate Service DCOM Access
431systemFlags: -1946157056
432groupType: -2147483643
433isCriticalSystemObject: TRUE
434
435# Add well known security principals
436
437dn: CN=WellKnown Security Principals,${CONFIGDN}
438objectClass: top
439objectClass: container
440systemFlags: -2147483648
441
442dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
443objectClass: top
444objectClass: foreignSecurityPrincipal
445objectSid: S-1-5-7
446
447dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN}
448objectClass: top
449objectClass: foreignSecurityPrincipal
450objectSid: S-1-5-11
451
452dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN}
453objectClass: top
454objectClass: foreignSecurityPrincipal
455objectSid: S-1-5-3
456
457dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN}
458objectClass: top
459objectClass: foreignSecurityPrincipal
460objectSid: S-1-3-1
461
462dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN}
463objectClass: top
464objectClass: foreignSecurityPrincipal
465objectSid: S-1-3-0
466
467dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN}
468objectClass: top
469objectClass: foreignSecurityPrincipal
470objectSid: S-1-5-1
471
472dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN}
473objectClass: top
474objectClass: foreignSecurityPrincipal
475objectSid: S-1-5-64-21
476
477dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN}
478objectClass: top
479objectClass: foreignSecurityPrincipal
480objectSid: S-1-5-9
481
482dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN}
483objectClass: top
484objectClass: foreignSecurityPrincipal
485objectSid: S-1-1-0
486
487dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN}
488objectClass: top
489objectClass: foreignSecurityPrincipal
490objectSid: S-1-5-4
491
492dn: CN=IUSR,CN=WellKnown Security Principals,${CONFIGDN}
493objectClass: top
494objectClass: foreignSecurityPrincipal
495objectSid: S-1-5-17
496
497dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
498objectClass: top
499objectClass: foreignSecurityPrincipal
500objectSid: S-1-5-19
501
502dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN}
503objectClass: top
504objectClass: foreignSecurityPrincipal
505objectSid: S-1-5-2
506
507dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN}
508objectClass: top
509objectClass: foreignSecurityPrincipal
510objectSid: S-1-5-20
511
512dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN}
513objectClass: top
514objectClass: foreignSecurityPrincipal
515objectSid: S-1-5-64-10
516
517dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN}
518objectClass: top
519objectClass: foreignSecurityPrincipal
520objectSid: S-1-5-1000
521
522dn: CN=Owner Rights,CN=WellKnown Security Principals,${CONFIGDN}
523objectClass: top
524objectClass: foreignSecurityPrincipal
525objectSid: S-1-3-4
526
527dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN}
528objectClass: top
529objectClass: foreignSecurityPrincipal
530objectSid: S-1-5-8
531
532dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN}
533objectClass: top
534objectClass: foreignSecurityPrincipal
535objectSid: S-1-5-14
536
537dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN}
538objectClass: top
539objectClass: foreignSecurityPrincipal
540objectSid: S-1-5-12
541
542dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN}
543objectClass: top
544objectClass: foreignSecurityPrincipal
545objectSid: S-1-5-64-14
546
547dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN}
548objectClass: top
549objectClass: foreignSecurityPrincipal
550objectSid: S-1-5-10
551
552dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN}
553objectClass: top
554objectClass: foreignSecurityPrincipal
555objectSid: S-1-5-6
556
557dn: CN=System,CN=WellKnown Security Principals,${CONFIGDN}
558objectClass: top
559objectClass: foreignSecurityPrincipal
560objectSid: S-1-5-18
561
562dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN}
563objectClass: top
564objectClass: foreignSecurityPrincipal
565objectSid: S-1-5-13
566
567dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN}
568objectClass: top
569objectClass: foreignSecurityPrincipal
570objectSid: S-1-5-15
Note: See TracBrowser for help on using the repository browser.