6.1.1.4.13 Roles Container

In AD LDS, each application NC and the config NC contain this container. It stores the well-known AD LDS groups for this NC. This container is not present in AD DS, nor are any of its child objects, which are specified later in this section.

name: Roles

parent: Application NC root or Config NC root

objectClass: container

systemFlags: {FLAG_DISALLOW_DELETE}

Each child of the Roles container is a group with the following attributes:

parent: Roles Container

objectClass: group

objectSid: A SID with two SubAuthority values, consisting of the objectSid of the NC root followed by the RID that is specified for each child in the following subsections.

groupType: {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}

member: Unless otherwise noted in the following sections, the initial membership of each group is empty. After initialization the administrator can modify the membership of each group.