r8790: Finish the migration of aliases and privilages with SamSync, by adding

templating support for foreignSecurityPrincipals to the samdb module.
This is an extension beyond what microsoft does, and has been very
useful :-)

The setup scripts have been modified to use the new template, as has
the SAMR and LSA code.

Other cleanups in LSA remove the assumption that the short domain name
is the first component of the realm.

Also add a lot of useful debug messages, to make it clear how/why the
SamSync may have gone wrong.  Many of these should perhaps be hooked
into an error string.

Andrew Bartlett
(This used to be commit 1f071b0609c5c83024db1d4a7d04334a932b8253)

8 files changed, 638 insertions, 531 deletions

diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c
index 2414b2795f..38d6d267b8 100644
--- a/source4/libnet/libnet_samsync_ldb.c
+++ b/source4/libnet/libnet_samsync_ldb.c
@@ -5,6 +5,7 @@
 
    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
    Copyright (C) Andrew Tridgell 2004
+   Copyright (C) Volker Lendecke 2004
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -50,6 +51,56 @@ struct samsync_ldb_state {
 	struct samsync_ldb_trusted_domain *trusted_domains;
 };
 
+static NTSTATUS samsync_ldb_add_foreignSecurityPrincipal(TALLOC_CTX *mem_ctx,
+							 struct samsync_ldb_state *state,
+							 struct dom_sid *sid,
+							 char **fsp_dn)
+{
+	const char *sidstr = dom_sid_string(mem_ctx, sid);
+	/* We assume that ForeignSecurityPrincipals are under the BASEDN of the main domain */
+	const char *basedn = samdb_search_string(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN],
+						 "dn",
+						 "(&(objectClass=container)"
+						 "(cn=ForeignSecurityPrincipals))");
+	struct ldb_message *msg;
+	int ret;
+
+	if (!sidstr) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (basedn == NULL) {
+		DEBUG(0, ("Failed to find DN for "
+			  "ForeignSecurityPrincipal container\n"));
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+	
+	msg = ldb_msg_new(mem_ctx);
+	if (msg == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/* add core elements to the ldb_message for the alias */
+	msg->dn = talloc_asprintf(mem_ctx, "CN=%s,%s", sidstr, basedn);
+	if (msg->dn == NULL)
+		return NT_STATUS_NO_MEMORY;
+	
+	samdb_msg_add_string(state->sam_ldb, mem_ctx, msg,
+			     "objectClass",
+			     "foreignSecurityPrincipal");
+
+	*fsp_dn = msg->dn;
+
+	/* create the alias */
+	ret = samdb_add(state->sam_ldb, mem_ctx, msg);
+	if (ret != 0) {
+		DEBUG(0,("Failed to create foreignSecurityPrincipal "
+			 "record %s: %s\n", msg->dn, ldb_errstring(state->sam_ldb)));
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+	return NT_STATUS_OK;
+}
+
 static NTSTATUS samsync_ldb_handle_domain(TALLOC_CTX *mem_ctx,
 					  struct samsync_ldb_state *state,
 					  struct creds_CredentialState *creds,
@@ -178,6 +229,11 @@ static NTSTATUS samsync_ldb_handle_user(TALLOC_CTX *mem_ctx,
 	} else if (ret == 0) {
 		add = True;
 	} else if (ret > 1) {
+		DEBUG(0, ("More than one user with SID: %s\n", 
+			  dom_sid_string(mem_ctx, 
+					 dom_sid_add_rid(mem_ctx, 
+							 state->dom_sid[database], 
+							 rid))));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else {
 		msg->dn = talloc_steal(msg, msgs[0]->dn);
@@ -317,10 +373,16 @@ static NTSTATUS samsync_ldb_delete_user(TALLOC_CTX *mem_ctx,
 			   ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
 	if (ret == -1) {
+		DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else if (ret == 0) {
 		return NT_STATUS_NO_SUCH_USER;
 	} else if (ret > 1) {
+		DEBUG(0, ("More than one user with SID: %s\n", 
+			  dom_sid_string(mem_ctx, 
+					 dom_sid_add_rid(mem_ctx, 
+							 state->dom_sid[database], 
+							 rid))));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
 
@@ -361,10 +423,16 @@ static NTSTATUS samsync_ldb_handle_group(TALLOC_CTX *mem_ctx,
 			   ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
 	if (ret == -1) {
+		DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else if (ret == 0) {
 		add = True;
 	} else if (ret > 1) {
+		DEBUG(0, ("More than one group/alias with SID: %s\n", 
+			  dom_sid_string(mem_ctx, 
+					 dom_sid_add_rid(mem_ctx, 
+							 state->dom_sid[database], 
+							 rid))));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else {
 		msg->dn = talloc_steal(msg, msgs[0]->dn);
@@ -438,10 +506,16 @@ static NTSTATUS samsync_ldb_delete_group(TALLOC_CTX *mem_ctx,
 			   ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
 	if (ret == -1) {
+		DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else if (ret == 0) {
 		return NT_STATUS_NO_SUCH_GROUP;
 	} else if (ret > 1) {
+		DEBUG(0, ("More than one group/alias with SID: %s\n", 
+			  dom_sid_string(mem_ctx, 
+					 dom_sid_add_rid(mem_ctx, 
+							 state->dom_sid[database], 
+							 rid))));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
 	
@@ -479,10 +553,16 @@ static NTSTATUS samsync_ldb_handle_group_member(TALLOC_CTX *mem_ctx,
 			   ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
 	if (ret == -1) {
+		DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else if (ret == 0) {
 		return NT_STATUS_NO_SUCH_GROUP;
 	} else if (ret > 1) {
+		DEBUG(0, ("More than one group/alias with SID: %s\n", 
+			  dom_sid_string(mem_ctx, 
+					 dom_sid_add_rid(mem_ctx, 
+							 state->dom_sid[database], 
+							 rid))));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else {
 		msg->dn = talloc_steal(msg, msgs[0]->dn);
@@ -497,6 +577,7 @@ static NTSTATUS samsync_ldb_handle_group_member(TALLOC_CTX *mem_ctx,
 				   ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], group_member->rids[i]))); 
 
 		if (ret == -1) {
+			DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
 			return NT_STATUS_INTERNAL_DB_CORRUPTION;
 		} else if (ret == 0) {
 			return NT_STATUS_NO_SUCH_USER;
@@ -546,10 +627,16 @@ static NTSTATUS samsync_ldb_handle_alias(TALLOC_CTX *mem_ctx,
 			   ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
 	if (ret == -1) {
+		DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else if (ret == 0) {
 		add = True;
 	} else if (ret > 1) {
+		DEBUG(0, ("More than one group/alias with SID: %s\n", 
+			  dom_sid_string(mem_ctx, 
+					 dom_sid_add_rid(mem_ctx, 
+							 state->dom_sid[database], 
+							 rid))));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else {
 		msg->dn = talloc_steal(mem_ctx, msgs[0]->dn);
@@ -625,6 +712,7 @@ static NTSTATUS samsync_ldb_delete_alias(TALLOC_CTX *mem_ctx,
 			   ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
 	if (ret == -1) {
+		DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else if (ret == 0) {
 		return NT_STATUS_NO_SUCH_ALIAS;
@@ -666,10 +754,16 @@ static NTSTATUS samsync_ldb_handle_alias_member(TALLOC_CTX *mem_ctx,
 			   ldap_encode_ndr_dom_sid(mem_ctx, dom_sid_add_rid(mem_ctx, state->dom_sid[database], rid))); 
 
 	if (ret == -1) {
+		DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else if (ret == 0) {
 		return NT_STATUS_NO_SUCH_GROUP;
 	} else if (ret > 1) {
+		DEBUG(0, ("More than one group/alias with SID: %s\n", 
+			  dom_sid_string(mem_ctx, 
+					 dom_sid_add_rid(mem_ctx, 
+							 state->dom_sid[database], 
+							 rid))));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else {
 		msg->dn = talloc_steal(msg, msgs[0]->dn);
@@ -678,20 +772,29 @@ static NTSTATUS samsync_ldb_handle_alias_member(TALLOC_CTX *mem_ctx,
 	talloc_free(msgs);
 
 	for (i=0; i<alias_member->sids.num_sids; i++) {
-		/* search for the group, by rid */
-		ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
+		char *alias_member_dn;
+		/* search for members, in the top basedn (normal users are builtin aliases) */
+		ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
 				   "(objectSid=%s)", 
 				   ldap_encode_ndr_dom_sid(mem_ctx, alias_member->sids.sids[i].sid)); 
 
 		if (ret == -1) {
+			DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
 			return NT_STATUS_INTERNAL_DB_CORRUPTION;
 		} else if (ret == 0) {
-			return NT_STATUS_NO_SUCH_USER;
-		} else if (ret > 1) {
+			NTSTATUS nt_status;
+			nt_status = samsync_ldb_add_foreignSecurityPrincipal(mem_ctx, state,
+									     alias_member->sids.sids[i].sid, 
+									     &alias_member_dn);
+			if (!NT_STATUS_IS_OK(nt_status)) {
+				return nt_status;
+			}
+ 		} else if (ret > 1) {
 			return NT_STATUS_INTERNAL_DB_CORRUPTION;
 		} else {
-			samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "member", msgs[0]->dn);
+			alias_member_dn = msgs[0]->dn;
 		}
+		samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "member", alias_member_dn);
 	
 		talloc_free(msgs);
 	}
@@ -716,6 +819,7 @@ static NTSTATUS samsync_ldb_handle_account(TALLOC_CTX *mem_ctx,
 
 	struct ldb_message *msg;
 	struct ldb_message **msgs;
+	char *privilage_dn;
 	int ret;
 	const char *attrs[] = { NULL };
 	int i;
@@ -725,20 +829,32 @@ static NTSTATUS samsync_ldb_handle_account(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	/* search for the account, by sid */
-	ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
+	/* search for the account, by sid, in the top basedn */
+	ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
 			   "(objectSid=%s)", ldap_encode_ndr_dom_sid(mem_ctx, sid)); 
 
 	if (ret == -1) {
+		DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else if (ret == 0) {
-		return NT_STATUS_NO_SUCH_USER;
+		NTSTATUS nt_status;
+		nt_status = samsync_ldb_add_foreignSecurityPrincipal(mem_ctx, state,
+								     sid,
+								     &privilage_dn);
+		privilage_dn = talloc_steal(msg, privilage_dn);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			return nt_status;
+		}
 	} else if (ret > 1) {
+		DEBUG(0, ("More than one account with SID: %s\n", 
+			  dom_sid_string(mem_ctx, sid)));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else {
-		msg->dn = talloc_steal(msg, msgs[0]->dn);
+		privilage_dn = talloc_steal(msg, msgs[0]->dn);
 	}
 
+	msg->dn = privilage_dn;
+
 	for (i=0; i< account->privilege_entries; i++) {
 		samdb_msg_add_string(state->sam_ldb, mem_ctx, msg, "privilage",
 				     account->privilege_name[i].string);
@@ -771,16 +887,19 @@ static NTSTATUS samsync_ldb_delete_account(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	/* search for the account, by sid */
-	ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[database], &msgs, attrs,
+	/* search for the account, by sid, in the top basedn */
+	ret = gendb_search(state->sam_ldb, mem_ctx, state->base_dn[SAM_DATABASE_DOMAIN], &msgs, attrs,
 			   "(objectSid=%s)", 
 			   ldap_encode_ndr_dom_sid(mem_ctx, sid)); 
 
 	if (ret == -1) {
+		DEBUG(0, ("gendb_search failed: %s\n", ldb_errstring(state->sam_ldb)));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else if (ret == 0) {
 		return NT_STATUS_NO_SUCH_USER;
 	} else if (ret > 1) {
+		DEBUG(0, ("More than one account with SID: %s\n", 
+			  dom_sid_string(mem_ctx, sid)));
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	} else {
 		msg->dn = talloc_steal(msg, msgs[0]->dn);
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 78973776f1..85f94712ba 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -220,6 +220,9 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
 				     struct lsa_policy_state **_state)
 {
 	struct lsa_policy_state *state;
+	const char *domain_attrs[] =  {"nETBIOSName", "nCName", NULL};
+	int ret_domain;
+	struct ldb_message **msgs_domain;
 
 	state = talloc(mem_ctx, struct lsa_policy_state);
 	if (!state) {
@@ -237,36 +240,47 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
 
+	ret_domain = gendb_search(state->sam_ldb, mem_ctx, NULL, &msgs_domain, domain_attrs,
+				  "(&(&(nETBIOSName=%s)(objectclass=crossRef))(ncName=*))", 
+				  lp_workgroup());
+	
+	if (ret_domain == -1) {
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+		
+	if (ret_domain != 1) {
+		return NT_STATUS_NO_SUCH_DOMAIN;		
+	}
+
 	/* work out the domain_dn - useful for so many calls its worth
 	   fetching here */
-	state->domain_dn = talloc_reference(state, 
-					    samdb_search_string(state->sam_ldb, mem_ctx, NULL,
-								"dn", "(&(objectClass=domain)(!(objectclass=builtinDomain)))"));
+	state->domain_dn = talloc_steal(state, samdb_result_string(msgs_domain[0], "nCName", NULL));
 	if (!state->domain_dn) {
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
 
 	/* work out the builtin_dn - useful for so many calls its worth
 	   fetching here */
-	state->builtin_dn = talloc_reference(state, 
-					     samdb_search_string(state->sam_ldb, mem_ctx, NULL,
-						"dn", "objectClass=builtinDomain"));
+	state->builtin_dn = talloc_steal(state, 
+					 samdb_search_string(state->sam_ldb, mem_ctx, NULL,
+							     "dn", "objectClass=builtinDomain"));
 	if (!state->builtin_dn) {
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
 
 	/* work out the system_dn - useful for so many calls its worth
 	   fetching here */
-	state->system_dn = talloc_reference(state, 
-					     samdb_search_string(state->sam_ldb, mem_ctx, state->domain_dn,
-					       "dn", "(&(objectClass=container)(cn=System))"));
+	state->system_dn = talloc_steal(state, 
+					samdb_search_string(state->sam_ldb, mem_ctx, state->domain_dn,
+							    "dn", "(&(objectClass=container)(cn=System))"));
 	if (!state->system_dn) {
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
 
-	state->domain_sid = samdb_search_dom_sid(state->sam_ldb, state,
-						 state->domain_dn, "objectSid", 
-						 "dn=%s", state->domain_dn);
+	state->domain_sid = talloc_steal(state, 
+					 samdb_search_dom_sid(state->sam_ldb, state,
+							      state->domain_dn, "objectSid", 
+							      "dn=%s", state->domain_dn));
 	if (!state->domain_sid) {
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
@@ -276,13 +290,9 @@ static NTSTATUS lsa_get_policy_state(struct dcesrv_call_state *dce_call, TALLOC_
 		return NT_STATUS_NO_SUCH_DOMAIN;		
 	}
 
-	state->domain_name = talloc_reference(state, 
-					      samdb_search_string(state->sam_ldb, mem_ctx,
-								  state->domain_dn, "name", 
-								  "dn=%s", state->domain_dn));
-	if (!state->domain_name) {
-		return NT_STATUS_NO_SUCH_DOMAIN;		
-	}
+	state->domain_name = talloc_strdup(state, 
+					   samdb_result_string(msgs_domain[0], "nETBIOSName", 
+							       lp_workgroup()));
 
 	*_state = state;
 
@@ -619,14 +629,6 @@ static NTSTATUS lsa_CreateTrustedDomain(struct dcesrv_call_state *dce_call, TALL
 		samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "securityIdentifier", sid_string);
 	}
 
-	/* pull in all the template attributes. */
-	ret = samdb_copy_template(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, 
-				  "(&(name=TemplateTrustedDomain)(objectclass=trustedDomainTemplate))");
-	if (ret != 0) {
-		DEBUG(0,("Failed to load TemplateTrustedDomain from samdb\n"));
-		return NT_STATUS_INTERNAL_DB_CORRUPTION;
-	}
-
 	samdb_msg_add_string(trusted_domain_state->policy->sam_ldb, mem_ctx, msg, "objectClass", "trustedDomain");
 	
 	trusted_domain_state->trusted_domain_dn = talloc_reference(trusted_domain_state, msg->dn);
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 3cda88c04c..26593d1697 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -747,7 +747,7 @@ static NTSTATUS samr_CreateUser2(struct dcesrv_call_state *dce_call, TALLOC_CTX
 	a_state->domain_state = talloc_reference(a_state, d_state);
 	a_state->account_dn = talloc_steal(a_state, msg->dn);
 
-	/* retrieve the sid for the group just created */
+	/* retrieve the sid for the user just created */
 	sid = samdb_search_dom_sid(d_state->sam_ctx, a_state,
 				   msg->dn, "objectSid", "dn=%s", msg->dn);
 	if (sid == NULL) {
@@ -907,7 +907,7 @@ static NTSTATUS samr_CreateDomAlias(struct dcesrv_call_state *dce_call, TALLOC_C
 	/* Check if alias already exists */
 	name = samdb_search_string(d_state->sam_ctx, mem_ctx, NULL,
 				   "sAMAccountName",
-				   "(&pAMAccountName=%s)(objectclass=group))",
+				   "(sAMAccountName=%s)(objectclass=group))",
 				   alias_name);
 
 	if (name != NULL) {
@@ -2040,17 +2040,6 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C
 			return NT_STATUS_NO_MEMORY;
 		}
 
-		/* pull in all the template attributes */
-		ret = samdb_copy_template(d_state->sam_ctx, mem_ctx, msg, 
-					  "(&(name=TemplateForeignSecurityPrincipal)"
-					  "(objectclass=foreignSecurityPrincipalTemplate))");
-		if (ret != 0) {
-			DEBUG(0,("Failed to load "
-				 "TemplateForeignSecurityPrincipal "
-				 "from samdb\n"));
-			return NT_STATUS_INTERNAL_DB_CORRUPTION;
-		}
-
 		/* TODO: Hmmm. This feels wrong. How do I find the base dn to
 		 * put the ForeignSecurityPrincipals? d_state->domain_dn does
 		 * not work, this is wrong for the Builtin domain, there's no
@@ -2076,13 +2065,9 @@ static NTSTATUS samr_AddAliasMember(struct dcesrv_call_state *dce_call, TALLOC_C
 		memberdn = msg->dn;
 
 		samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
-				     "name", sidstr);
-		samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
 				     "objectClass",
 				     "foreignSecurityPrincipal");
-		samdb_msg_add_string(d_state->sam_ctx, mem_ctx, msg,
-				     "objectSid", sidstr);
-		
+
 		/* create the alias */
 		ret = samdb_add(d_state->sam_ctx, mem_ctx, msg);
 		if (ret != 0) {
@@ -3256,7 +3241,7 @@ static NTSTATUS samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX
 	struct ldb_message **msgs;
 	int ret;
 	const char * const attrs[] = {"minPwdLength", "pwdProperties", NULL };
-	void *sam_ctx;
+	struct ldb_context *sam_ctx;
 
 	ZERO_STRUCT(r->out.info);
 
@@ -3267,8 +3252,7 @@ static NTSTATUS samr_GetDomPwInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX
 
 	ret = gendb_search(sam_ctx, 
 			   mem_ctx, NULL, &msgs, attrs, 
-			   "(&(name=%s)(objectclass=domain))",
-			   lp_workgroup());
+			   "(&(!(objectClass=builtinDomain))(objectclass=domain))");
 	if (ret <= 0) {
 		return NT_STATUS_NO_SUCH_DOMAIN;
 	}
diff --git a/source4/scripting/libjs/provision.js b/source4/scripting/libjs/provision.js
index b6a7c5978b..0bcb2fa761 100644
--- a/source4/scripting/libjs/provision.js
+++ b/source4/scripting/libjs/provision.js
@@ -56,19 +56,10 @@ function add_foreign(str, sid, desc, unixname)
 dn: CN=${SID},CN=ForeignSecurityPrincipals,${BASEDN}
 objectClass: top
 objectClass: foreignSecurityPrincipal
-cn: ${SID}
 description: ${DESC}
-instanceType: 4
-whenCreated: ${LDAPTIME}
-whenChanged: ${LDAPTIME}
+unixName: ${UNIXNAME}
 uSNCreated: 1
 uSNChanged: 1
-showInAdvancedViewOnly: TRUE
-name: ${SID}
-objectGUID: ${NEWGUID}
-objectSid: ${SID}
-objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,${BASEDN}
-unixName: ${UNIXNAME}
 ";
 	var sub = new Object();
 	sub.SID = sid;
@@ -212,7 +203,7 @@ function setup_file(template, fname, subobj)
 /*
   provision samba4 - caution, this wipes all existing data!
 */
-function provision(subobj, message)
+function provision(subobj, message, blank)
 {
 	var data = "";
 	var lp = loadparm_init();
@@ -249,7 +240,11 @@ function provision(subobj, message)
 	message("Setting up sam.ldb templates\n");
 	setup_ldb("provision_templates.ldif", "sam.ldb", subobj, NULL, false);
 	message("Setting up sam.ldb data\n");
-	setup_ldb("provision.ldif", "sam.ldb", subobj, data, false);
+	setup_ldb("provision.ldif", "sam.ldb", subobj, NULL, false);
+	if (blank == false) {
+		message("Setting up sam.ldb users and groups\n");
+		setup_ldb("provision_users.ldif", "sam.ldb", subobj, data, false);
+	}
 	message("Setting up rootdse.ldb\n");
 	setup_ldb("rootdse.ldif", "rootdse.ldb", subobj);
 	message("Setting up secrets.ldb\n");
diff --git a/source4/setup/provision b/source4/setup/provision
index 90363fcf20..dc542f59f0 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -27,7 +27,8 @@ ok = GetOptions(ARGV, options,
 		'nogroup=s',
 		'wheel=s',
 		'users=s',
-		'quiet');
+		'quiet',
+                'blank');
 if (ok == false) {
    println("Failed to parse options: " + options.ERROR);
    return -1;
@@ -72,6 +73,7 @@ provision [options]
  --wheel	GROUPNAME	choose 'wheel' privileged group
  --users	GROUPNAME	choose 'users' group
  --quiet			Be quiet
+ --blank			do not add users or groups, just the structure
 
 You must provide at least a realm and domain
 
@@ -106,6 +108,6 @@ for (r in options) {
 
 message("Provisioning for %s in realm %s\n", subobj.DOMAIN, subobj.REALM);
 message("Using administrator password: %s\n", subobj.ADMINPASS);
-provision(subobj, message);
+provision(subobj, message, options["blank"] != undefined);
 message("All OK\n");
 return 0;
diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
index 01dbc6366a..b2d0848946 100644
--- a/source4/setup/provision.ldif
+++ b/source4/setup/provision.ldif
@@ -23,6 +23,7 @@ nextRid: 1001
 pwdProperties: 1
 pwdHistoryLength: 24
 objectSid: ${DOMAINSID}
+oEMInformation: Provisioned by Samba4: ${LDAPTIME}
 serverState: 1
 nTMixedDomain: 1
 msDS-Behavior-Version: 0
@@ -172,464 +173,6 @@ modifiedCount: 1
 objectCategory: CN=Builtin-Domain,CN=Schema,CN=Configuration,${BASEDN}
 isCriticalSystemObject: TRUE
 
-dn: CN=Administrator,CN=Users,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: Administrator
-description: Built-in account for administering the computer/domain
-uSNCreated: 1
-memberOf: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
-memberOf: CN=Domain Admins,CN=Users,${BASEDN}
-memberOf: CN=Enterprise Admins,CN=Users,${BASEDN}
-memberOf: CN=Schema Admins,CN=Users,${BASEDN}
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-userAccountControl: 0x10200
-objectSid: ${DOMAINSID}-500
-adminCount: 1
-accountExpires: -1
-sAMAccountName: Administrator
-isCriticalSystemObject: TRUE
-unicodePwd: ${ADMINPASS}
-unixName: ${ROOT}
-
-dn: CN=Guest,CN=Users,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: Guest
-description: Built-in account for guest access to the computer/domain
-uSNCreated: 1
-memberOf: CN=Guests,CN=Builtin,${BASEDN}
-uSNChanged: 1
-userAccountControl: 0x10222
-primaryGroupID: 514
-objectSid: ${DOMAINSID}-501
-sAMAccountName: Guest
-isCriticalSystemObject: TRUE
-
-dn: CN=Administrators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Administrators
-description: Administrators have complete and unrestricted access to the computer/domain
-member: CN=Domain Admins,CN=Users,${BASEDN}
-member: CN=Enterprise Admins,CN=Users,${BASEDN}
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-544
-adminCount: 1
-sAMAccountName: Administrators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-privilege: SeSecurityPrivilege
-privilege: SeBackupPrivilege
-privilege: SeRestorePrivilege
-privilege: SeSystemtimePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeRemoteShutdownPrivilege
-privilege: SeTakeOwnershipPrivilege
-privilege: SeDebugPrivilege
-privilege: SeSystemEnvironmentPrivilege
-privilege: SeSystemProfilePrivilege
-privilege: SeProfileSingleProcessPrivilege
-privilege: SeIncreaseBasePriorityPrivilege
-privilege: SeLoadDriverPrivilege
-privilege: SeCreatePagefilePrivilege
-privilege: SeIncreaseQuotaPrivilege
-privilege: SeChangeNotifyPrivilege
-privilege: SeUndockPrivilege
-privilege: SeManageVolumePrivilege
-privilege: SeImpersonatePrivilege
-privilege: SeCreateGlobalPrivilege
-privilege: SeEnableDelegationPrivilege
-privilege: SeInteractiveLogonRight
-privilege: SeNetworkLogonRight
-privilege: SeRemoteInteractiveLogonRight
-
-
-dn: CN=Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Users
-description: Users are prevented from making accidental or intentional system-wide changes.  Thus, Users can run certified applications, but not most legacy applications
-member: CN=Domain Users,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-545
-sAMAccountName: Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Guests,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Guests
-description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
-member: CN=Domain Guests,CN=Users,${BASEDN}
-member: CN=Guest,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-546
-sAMAccountName: Guests
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${NOGROUP}
-
-dn: CN=Print Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Print Operators
-description: Members can administer domain printers
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-550
-adminCount: 1
-sAMAccountName: Print Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeLoadDriverPrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-
-dn: CN=Backup Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Backup Operators
-description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-551
-adminCount: 1
-sAMAccountName: Backup Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeBackupPrivilege
-privilege: SeRestorePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-
-dn: CN=Replicator,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Replicator
-description: Supports file replication in a domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-552
-adminCount: 1
-sAMAccountName: Replicator
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Remote Desktop Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Remote Desktop Users
-description: Members in this group are granted the right to logon remotely
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-555
-sAMAccountName: Remote Desktop Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Network Configuration Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Network Configuration Operators
-description: Members in this group can have some administrative privileges to manage configuration of networking features
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-556
-sAMAccountName: Network Configuration Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Performance Monitor Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Performance Monitor Users
-description: Members of this group have remote access to monitor this computer
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-558
-sAMAccountName: Performance Monitor Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Performance Log Users,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Performance Log Users
-description: Members of this group have remote access to schedule logging of performance counters on this computer
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-559
-sAMAccountName: Performance Log Users
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=${NETBIOSNAME},OU=Domain Controllers,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: computer
-cn: ${NETBIOSNAME}
-uSNCreated: 1
-uSNChanged: 1
-objectGUID: ${HOSTGUID}
-userAccountControl: 532480
-lastLogon: 127273269057298624
-localPolicyFlags: 0
-pwdLastSet: 127258826171655328
-primaryGroupID: 516
-objectSid: ${DOMAINSID}-1000
-accountExpires: 9223372036854775807
-sAMAccountName: ${NETBIOSNAME}$
-sAMAccountType: 805306369
-operatingSystem: Samba
-operatingSystemVersion: 4.0
-dNSHostName: ${DNSNAME}
-isCriticalSystemObject: TRUE
-unicodePwd: ${MACHINEPASS}
-servicePrincipalName: HOST/${DNSNAME}
-servicePrincipalName: HOST/${NETBIOSNAME}
-msDS-KeyVersionNumber: 1
-
-dn: CN=krbtgt,CN=Users,${BASEDN}
-objectClass: top
-objectClass: person
-objectClass: organizationalPerson
-objectClass: user
-cn: krbtgt
-description: Key Distribution Center Service Account
-uSNCreated: 1
-uSNChanged: 1
-showInAdvancedViewOnly: TRUE
-userAccountControl: 514
-pwdLastSet: 127258826179466560
-objectSid: ${DOMAINSID}-502
-adminCount: 1
-accountExpires: 9223372036854775807
-sAMAccountName: krbtgt
-sAMAccountType: 805306368
-servicePrincipalName: kadmin/changepw
-isCriticalSystemObject: TRUE
-unicodePwd: ${KRBTGTPASS}
-
-dn: CN=Domain Computers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Computers
-description: All workstations and servers joined to the domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-515
-sAMAccountName: Domain Computers
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Domain Controllers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Controllers
-description: All domain controllers in the domain
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-516
-adminCount: 1
-sAMAccountName: Domain Controllers
-isCriticalSystemObject: TRUE
-
-dn: CN=Schema Admins,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Schema Admins
-description: Designated administrators of the schema
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-518
-adminCount: 1
-sAMAccountName: Schema Admins
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=Enterprise Admins,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Enterprise Admins
-description: Designated administrators of the enterprise
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-519
-adminCount: 1
-sAMAccountName: Enterprise Admins
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=Cert Publishers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Cert Publishers
-description: Members of this group are permitted to publish certificates to the Active Directory
-uSNCreated: 1
-uSNChanged: 1
-groupType: 0x80000004
-sAMAccountType: 0x20000000
-objectSid: ${DOMAINSID}-517
-sAMAccountName: Cert Publishers
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Domain Admins,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Admins
-description: Designated administrators of the domain
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-memberOf: CN=Administrators,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-512
-adminCount: 1
-sAMAccountName: Domain Admins
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=Domain Users,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Users
-description: All domain users
-uSNCreated: 1
-memberOf: CN=Users,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-513
-sAMAccountName: Domain Users
-isCriticalSystemObject: TRUE
-unixName: ${USERS}
-
-dn: CN=Domain Guests,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Domain Guests
-description: All domain guests
-uSNCreated: 1
-memberOf: CN=Guests,CN=Builtin,${BASEDN}
-uSNChanged: 1
-objectSid: ${DOMAINSID}-514
-sAMAccountName: Domain Guests
-isCriticalSystemObject: TRUE
-
-dn: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Group Policy Creator Owners
-description: Members in this group can modify group policy for the domain
-member: CN=Administrator,CN=Users,${BASEDN}
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-520
-sAMAccountName: Group Policy Creator Owners
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-unixName: ${WHEEL}
-
-dn: CN=RAS and IAS Servers,CN=Users,${BASEDN}
-objectClass: top
-objectClass: group
-cn: RAS and IAS Servers
-description: Servers in this group can access remote access properties of users
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: ${DOMAINSID}-553
-sAMAccountName: RAS and IAS Servers
-sAMAccountType: 0x20000000
-groupType: 0x80000004
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-
-dn: CN=Server Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Server Operators
-description: Members can administer domain servers
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-549
-adminCount: 1
-sAMAccountName: Server Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeBackupPrivilege
-privilege: SeSystemtimePrivilege
-privilege: SeRemoteShutdownPrivilege
-privilege: SeRestorePrivilege
-privilege: SeShutdownPrivilege
-privilege: SeInteractiveLogonRight
-
-dn: CN=Account Operators,CN=Builtin,${BASEDN}
-objectClass: top
-objectClass: group
-cn: Account Operators
-description: Members can administer domain user and group accounts
-instanceType: 4
-uSNCreated: 1
-uSNChanged: 1
-objectSid: S-1-5-32-548
-adminCount: 1
-sAMAccountName: Account Operators
-sAMAccountType: 0x20000000
-systemFlags: 0x8c000000
-groupType: 0x80000005
-objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
-isCriticalSystemObject: TRUE
-privilege: SeInteractiveLogonRight
-
 ###############################
 # Configuration Naming Context
 ###############################
diff --git a/source4/setup/provision_templates.ldif b/source4/setup/provision_templates.ldif
index 9a045d2afc..3693f46558 100644
--- a/source4/setup/provision_templates.ldif
+++ b/source4/setup/provision_templates.ldif
@@ -121,6 +121,9 @@ objectClass: top
 objectClass: Template
 objectClass: foreignSecurityPrincipalTemplate
 cn: TemplateForeignSecurityPrincipal
+instanceType: 4
+showInAdvancedViewOnly: TRUE
+objectCategory: CN=Foreign-Security-Principal,CN=Schema,CN=Configuration,${BASEDN}
 
 dn: CN=TemplateSecret,CN=Templates,${BASEDN}
 objectClass: top
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
new file mode 100644
index 0000000000..2e420b226a
--- /dev/null
+++ b/source4/setup/provision_users.ldif
@@ -0,0 +1,459 @@
+dn: CN=Administrator,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: Administrator
+description: Built-in account for administering the computer/domain
+uSNCreated: 1
+memberOf: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
+memberOf: CN=Domain Admins,CN=Users,${BASEDN}
+memberOf: CN=Enterprise Admins,CN=Users,${BASEDN}
+memberOf: CN=Schema Admins,CN=Users,${BASEDN}
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+userAccountControl: 0x10200
+objectSid: ${DOMAINSID}-500
+adminCount: 1
+accountExpires: -1
+sAMAccountName: Administrator
+isCriticalSystemObject: TRUE
+unicodePwd: ${ADMINPASS}
+unixName: ${ROOT}
+
+dn: CN=Guest,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: Guest
+description: Built-in account for guest access to the computer/domain
+uSNCreated: 1
+memberOf: CN=Guests,CN=Builtin,${BASEDN}
+uSNChanged: 1
+userAccountControl: 0x10222
+primaryGroupID: 514
+objectSid: ${DOMAINSID}-501
+sAMAccountName: Guest
+isCriticalSystemObject: TRUE
+
+dn: CN=Administrators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Administrators
+description: Administrators have complete and unrestricted access to the computer/domain
+member: CN=Domain Admins,CN=Users,${BASEDN}
+member: CN=Enterprise Admins,CN=Users,${BASEDN}
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-544
+adminCount: 1
+sAMAccountName: Administrators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+privilege: SeSecurityPrivilege
+privilege: SeBackupPrivilege
+privilege: SeRestorePrivilege
+privilege: SeSystemtimePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeRemoteShutdownPrivilege
+privilege: SeTakeOwnershipPrivilege
+privilege: SeDebugPrivilege
+privilege: SeSystemEnvironmentPrivilege
+privilege: SeSystemProfilePrivilege
+privilege: SeProfileSingleProcessPrivilege
+privilege: SeIncreaseBasePriorityPrivilege
+privilege: SeLoadDriverPrivilege
+privilege: SeCreatePagefilePrivilege
+privilege: SeIncreaseQuotaPrivilege
+privilege: SeChangeNotifyPrivilege
+privilege: SeUndockPrivilege
+privilege: SeManageVolumePrivilege
+privilege: SeImpersonatePrivilege
+privilege: SeCreateGlobalPrivilege
+privilege: SeEnableDelegationPrivilege
+privilege: SeInteractiveLogonRight
+privilege: SeNetworkLogonRight
+privilege: SeRemoteInteractiveLogonRight
+
+
+dn: CN=${NETBIOSNAME},OU=Domain Controllers,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: computer
+cn: ${NETBIOSNAME}
+uSNCreated: 1
+uSNChanged: 1
+objectGUID: ${HOSTGUID}
+userAccountControl: 532480
+lastLogon: 127273269057298624
+localPolicyFlags: 0
+pwdLastSet: 127258826171655328
+primaryGroupID: 516
+objectSid: ${DOMAINSID}-1000
+accountExpires: 9223372036854775807
+sAMAccountName: ${NETBIOSNAME}$
+sAMAccountType: 805306369
+operatingSystem: Samba
+operatingSystemVersion: 4.0
+dNSHostName: ${DNSNAME}
+isCriticalSystemObject: TRUE
+unicodePwd: ${MACHINEPASS}
+servicePrincipalName: HOST/${DNSNAME}
+servicePrincipalName: HOST/${NETBIOSNAME}
+msDS-KeyVersionNumber: 1
+
+
+dn: CN=Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Users
+description: Users are prevented from making accidental or intentional system-wide changes.  Thus, Users can run certified applications, but not most legacy applications
+member: CN=Domain Users,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-545
+sAMAccountName: Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Guests,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Guests
+description: Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted
+member: CN=Domain Guests,CN=Users,${BASEDN}
+member: CN=Guest,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-546
+sAMAccountName: Guests
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${NOGROUP}
+
+dn: CN=Print Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Print Operators
+description: Members can administer domain printers
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-550
+adminCount: 1
+sAMAccountName: Print Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeLoadDriverPrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Backup Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Backup Operators
+description: Backup Operators can override security restrictions for the sole purpose of backing up or restoring files
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-551
+adminCount: 1
+sAMAccountName: Backup Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeBackupPrivilege
+privilege: SeRestorePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Replicator,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Replicator
+description: Supports file replication in a domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-552
+adminCount: 1
+sAMAccountName: Replicator
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Remote Desktop Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Remote Desktop Users
+description: Members in this group are granted the right to logon remotely
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-555
+sAMAccountName: Remote Desktop Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Network Configuration Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Network Configuration Operators
+description: Members in this group can have some administrative privileges to manage configuration of networking features
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-556
+sAMAccountName: Network Configuration Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Performance Monitor Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Performance Monitor Users
+description: Members of this group have remote access to monitor this computer
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-558
+sAMAccountName: Performance Monitor Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Performance Log Users,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Performance Log Users
+description: Members of this group have remote access to schedule logging of performance counters on this computer
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-559
+sAMAccountName: Performance Log Users
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=krbtgt,CN=Users,${BASEDN}
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: user
+cn: krbtgt
+description: Key Distribution Center Service Account
+uSNCreated: 1
+uSNChanged: 1
+showInAdvancedViewOnly: TRUE
+userAccountControl: 514
+pwdLastSet: 127258826179466560
+objectSid: ${DOMAINSID}-502
+adminCount: 1
+accountExpires: 9223372036854775807
+sAMAccountName: krbtgt
+sAMAccountType: 805306368
+servicePrincipalName: kadmin/changepw
+isCriticalSystemObject: TRUE
+unicodePwd: ${KRBTGTPASS}
+
+dn: CN=Domain Computers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Computers
+description: All workstations and servers joined to the domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-515
+sAMAccountName: Domain Computers
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Controllers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Controllers
+description: All domain controllers in the domain
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-516
+adminCount: 1
+sAMAccountName: Domain Controllers
+isCriticalSystemObject: TRUE
+
+dn: CN=Schema Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Schema Admins
+description: Designated administrators of the schema
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-518
+adminCount: 1
+sAMAccountName: Schema Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Enterprise Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Enterprise Admins
+description: Designated administrators of the enterprise
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-519
+adminCount: 1
+sAMAccountName: Enterprise Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Cert Publishers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Cert Publishers
+description: Members of this group are permitted to publish certificates to the Active Directory
+uSNCreated: 1
+uSNChanged: 1
+groupType: 0x80000004
+sAMAccountType: 0x20000000
+objectSid: ${DOMAINSID}-517
+sAMAccountName: Cert Publishers
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Domain Admins,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Admins
+description: Designated administrators of the domain
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+memberOf: CN=Administrators,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-512
+adminCount: 1
+sAMAccountName: Domain Admins
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=Domain Users,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Users
+description: All domain users
+uSNCreated: 1
+memberOf: CN=Users,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-513
+sAMAccountName: Domain Users
+isCriticalSystemObject: TRUE
+unixName: ${USERS}
+
+dn: CN=Domain Guests,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Domain Guests
+description: All domain guests
+uSNCreated: 1
+memberOf: CN=Guests,CN=Builtin,${BASEDN}
+uSNChanged: 1
+objectSid: ${DOMAINSID}-514
+sAMAccountName: Domain Guests
+isCriticalSystemObject: TRUE
+
+dn: CN=Group Policy Creator Owners,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Group Policy Creator Owners
+description: Members in this group can modify group policy for the domain
+member: CN=Administrator,CN=Users,${BASEDN}
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-520
+sAMAccountName: Group Policy Creator Owners
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+unixName: ${WHEEL}
+
+dn: CN=RAS and IAS Servers,CN=Users,${BASEDN}
+objectClass: top
+objectClass: group
+cn: RAS and IAS Servers
+description: Servers in this group can access remote access properties of users
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: ${DOMAINSID}-553
+sAMAccountName: RAS and IAS Servers
+sAMAccountType: 0x20000000
+groupType: 0x80000004
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+
+dn: CN=Server Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Server Operators
+description: Members can administer domain servers
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-549
+adminCount: 1
+sAMAccountName: Server Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeBackupPrivilege
+privilege: SeSystemtimePrivilege
+privilege: SeRemoteShutdownPrivilege
+privilege: SeRestorePrivilege
+privilege: SeShutdownPrivilege
+privilege: SeInteractiveLogonRight
+
+dn: CN=Account Operators,CN=Builtin,${BASEDN}
+objectClass: top
+objectClass: group
+cn: Account Operators
+description: Members can administer domain user and group accounts
+instanceType: 4
+uSNCreated: 1
+uSNChanged: 1
+objectSid: S-1-5-32-548
+adminCount: 1
+sAMAccountName: Account Operators
+sAMAccountType: 0x20000000
+systemFlags: 0x8c000000
+groupType: 0x80000005
+objectCategory: CN=Group,CN=Schema,CN=Configuration,${BASEDN}
+isCriticalSystemObject: TRUE
+privilege: SeInteractiveLogonRight
+