6.1.1.4.13 Roles Container
In AD LDS, each application NC and the config NC contain this container. It stores the well-known AD LDS groups for this NC. This container is not present in AD DS, nor are any of its child objects, which are specified later in this section.
name: Roles
parent: Application NC root or Config NC root
systemFlags: {FLAG_DISALLOW_DELETE}
Each child of the Roles container is a group with the following attributes:
parent: Roles Container
objectClass: group
objectSid: A SID with two SubAuthority values, consisting of the objectSid of the NC root followed by the RID that is specified for each child in the following subsections.
groupType: {GROUP_TYPE_ACCOUNT_GROUP | GROUP_TYPE_SECURITY_ENABLED}
member: Unless otherwise noted in the following sections, the initial membership of each group is empty. After initialization the administrator can modify the membership of each group.