diff options
| author | Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de> | 2010-01-10 10:47:30 +0100 |
|---|---|---|
| committer | Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de> | 2010-01-10 10:50:46 +0100 |
| commit | 5c174c68ccba7506147feab1d09ad676792139b3 (patch) | |
| tree | ba78b92031b5043e9c7fbefca5785cf25766ad52 /source4/setup | |
| parent | a3e089db19384221c65996b158b7fa3aaf512792 (diff) | |
| download | samba-5c174c68ccba7506147feab1d09ad676792139b3.tar.gz samba-5c174c68ccba7506147feab1d09ad676792139b3.tar.bz2 samba-5c174c68ccba7506147feab1d09ad676792139b3.zip | |
s4:provision_users.ldif - Import all essential groups for Windows Server 2008 mode
Additionally I had to fix some bugs (especially wrong "groupTypes") and
reordered the objects using the SID (this is easier when enhancing the file).
Diffstat (limited to 'source4/setup')
| -rw-r--r-- | source4/setup/provision_users.ldif | 198 |
1 files changed, 113 insertions, 85 deletions
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif index c27249d2c5..58b7d159d8 100644 --- a/source4/setup/provision_users.ldif +++ b/source4/setup/provision_users.ldif @@ -75,105 +75,98 @@ isCriticalSystemObject: TRUE # Add other groups -dn: CN=Enterprise Admins,CN=Users,${DOMAINDN} +dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Designated administrators of the enterprise -member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-519 -adminCount: 1 -sAMAccountName: Enterprise Admins +description: Members of this group are Read-Only Domain Controllers in the enterprise +objectSid: ${DOMAINSID}-498 +sAMAccountName: Enterprise Read-Only Domain Controllers +groupType: -2147483640 isCriticalSystemObject: TRUE -dn: CN=Schema Admins,CN=Users,${DOMAINDN} +dn: CN=Domain Admins,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Designated administrators of the schema +description: Designated administrators of the domain member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-518 +objectSid: ${DOMAINSID}-512 adminCount: 1 -sAMAccountName: Schema Admins +sAMAccountName: Domain Admins isCriticalSystemObject: TRUE dn: CN=Cert Publishers,CN=Users,${DOMAINDN} objectClass: top objectClass: group description: Members of this group are permitted to publish certificates to the Active Directory -groupType: -2147483644 objectSid: ${DOMAINSID}-517 sAMAccountName: Cert Publishers +groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=Domain Admins,CN=Users,${DOMAINDN} +dn: CN=Schema Admins,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Designated administrators of the domain +description: Designated administrators of the schema member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-512 +objectSid: ${DOMAINSID}-518 adminCount: 1 -sAMAccountName: Domain Admins +sAMAccountName: Schema Admins +groupType: -2147483640 isCriticalSystemObject: TRUE -dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN} +dn: CN=Enterprise Admins,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Members in this group can modify group policy for the domain +description: Designated administrators of the enterprise member: CN=Administrator,CN=Users,${DOMAINDN} -objectSid: ${DOMAINSID}-520 -sAMAccountName: Group Policy Creator Owners +objectSid: ${DOMAINSID}-519 +adminCount: 1 +sAMAccountName: Enterprise Admins +groupType: -2147483640 isCriticalSystemObject: TRUE -dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN} +dn: CN=Group Policy Creator Owners,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Servers in this group can access remote access properties of users -objectSid: ${DOMAINSID}-553 -sAMAccountName: RAS and IAS Servers -groupType: -2147483644 +description: Members in this group can modify group policy for the domain +member: CN=Administrator,CN=Users,${DOMAINDN} +objectSid: ${DOMAINSID}-520 +sAMAccountName: Group Policy Creator Owners isCriticalSystemObject: TRUE dn: CN=Read-Only Domain Controllers,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Read-only domain controllers +description: Members of this group are Read-Only Domain Controllers in the domain objectSid: ${DOMAINSID}-521 +adminCount: 1 sAMAccountName: Read-Only Domain Controllers -groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=Enterprise Read-Only Domain Controllers,CN=Users,${DOMAINDN} +dn: CN=RAS and IAS Servers,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Enterprise read-only domain controllers -objectSid: ${DOMAINSID}-498 -sAMAccountName: Enterprise Read-Only Domain Controllers +description: Servers in this group can access remote access properties of users +objectSid: ${DOMAINSID}-553 +sAMAccountName: RAS and IAS Servers groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=Certificate Service DCOM Access,CN=Users,${DOMAINDN} +dn: CN=Allowed RODC Password Replication Group,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Certificate Service DCOM Access -objectSid: ${DOMAINSID}-574 -sAMAccountName: Certificate Service DCOM Access +description: Members in this group can have their passwords replicated to all read-only domain controllers in the domain. +objectSid: ${DOMAINSID}-571 +sAMAccountName: Allowed RODC Password Replication Group groupType: -2147483644 isCriticalSystemObject: TRUE -dn: CN=Cryptographic Operators,CN=Users,${DOMAINDN} +dn: CN=Denied RODC Password Replication Group,CN=Users,${DOMAINDN} objectClass: top objectClass: group -description: Cryptographic Operators -objectSid: ${DOMAINSID}-569 -sAMAccountName: Cryptographic Operators -groupType: -2147483644 -isCriticalSystemObject: TRUE - -dn: CN=Event Log Readers,CN=Users,${DOMAINDN} -objectClass: top -objectClass: group -description: Event Log Readers -objectSid: ${DOMAINSID}-573 -sAMAccountName: Event Log Readers +description: Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain. +objectSid: ${DOMAINSID}-572 +sAMAccountName: Denied RODC Password Replication Group groupType: -2147483644 isCriticalSystemObject: TRUE @@ -194,6 +187,11 @@ objectClass: top objectClass: foreignSecurityPrincipal objectSid: S-1-5-11 +dn: CN=S-1-5-17,CN=ForeignSecurityPrincipals,${DOMAINDN} +objectClass: top +objectClass: foreignSecurityPrincipal +objectSid: S-1-5-17 + dn: CN=S-1-5-20,CN=ForeignSecurityPrincipals,${DOMAINDN} objectClass: top objectClass: foreignSecurityPrincipal @@ -240,6 +238,28 @@ systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE +dn: CN=Account Operators,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +description: Members can administer domain user and group accounts +objectSid: S-1-5-32-548 +adminCount: 1 +sAMAccountName: Account Operators +systemFlags: -1946157056 +groupType: -2147483643 +isCriticalSystemObject: TRUE + +dn: CN=Server Operators,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +description: Members can administer domain servers +objectSid: S-1-5-32-549 +adminCount: 1 +sAMAccountName: Server Operators +systemFlags: -1946157056 +groupType: -2147483643 +isCriticalSystemObject: TRUE + dn: CN=Print Operators,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group @@ -273,6 +293,17 @@ systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE +dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +description: A backward compatibility group which allows read access on all users and groups in the domain +member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN} +objectSid: S-1-5-32-554 +sAMAccountName: Pre-Windows 2000 Compatible Access +systemFlags: -1946157056 +groupType: -2147483643 +isCriticalSystemObject: TRUE + dn: CN=Remote Desktop Users,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group @@ -293,6 +324,16 @@ systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE +dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN} +objectClass: top +objectClass: group +description: Members of this group can create incoming, one-way trusts to this forest +objectSid: S-1-5-32-557 +sAMAccountName: Incoming Forest Trust Builders +systemFlags: -1946157056 +groupType: -2147483643 +isCriticalSystemObject: TRUE + dn: CN=Performance Monitor Users,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group @@ -314,76 +355,63 @@ systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Server Operators,CN=Builtin,${DOMAINDN} -objectClass: top -objectClass: group -description: Members can administer domain servers -objectSid: S-1-5-32-549 -adminCount: 1 -sAMAccountName: Server Operators -systemFlags: -1946157056 -groupType: -2147483643 -isCriticalSystemObject: TRUE - -dn: CN=Account Operators,CN=Builtin,${DOMAINDN} +dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members can administer domain user and group accounts -objectSid: S-1-5-32-548 -adminCount: 1 -sAMAccountName: Account Operators +description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects +member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN} +objectSid: S-1-5-32-560 +sAMAccountName: Windows Authorization Access Group systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN} +dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: A backward compatibility group which allows read access on all users and groups in the domain -member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,${DOMAINDN} -objectSid: S-1-5-32-554 -sAMAccountName: Pre-Windows 2000 Compatible Access +description: Terminal Server License Servers +objectSid: S-1-5-32-561 +sAMAccountName: Terminal Server License Servers systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN} +dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members of this group can create incoming, one-way trusts to this forest -objectSid: S-1-5-32-557 -sAMAccountName: Incoming Forest Trust Builders +description: Members are allowed to launch, activate and use Distributed COM objects on this machine. +objectSid: S-1-5-32-562 +sAMAccountName: Distributed COM Users systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN} +dn: CN=Cryptographic Operators,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects -member: CN=S-1-5-9,CN=ForeignSecurityPrincipals,${DOMAINDN} -objectSid: S-1-5-32-560 -sAMAccountName: Windows Authorization Access Group +description: Members are authorized to perform cryptographic operations. +objectSid: S-1-5-32-569 +sAMAccountName: Cryptographic Operators systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN} +dn: CN=Event Log Readers,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Terminal Server License Servers -objectSid: S-1-5-32-561 -sAMAccountName: Terminal Server License Servers +description: Members of this group can read event logs from local machine. +objectSid: S-1-5-32-573 +sAMAccountName: Event Log Readers systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE -dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN} +dn: CN=Certificate Service DCOM Access,CN=Builtin,${DOMAINDN} objectClass: top objectClass: group -description: Members are allowed to launch, activate and use Distributed COM objects on this machine. -objectSid: S-1-5-32-562 -sAMAccountName: Distributed COM Users +description: Members of this group are allowed to connect to Certification Authorities in the enterprise. +objectSid: S-1-5-32-574 +sAMAccountName: Certificate Service DCOM Access systemFlags: -1946157056 groupType: -2147483643 isCriticalSystemObject: TRUE |