Needs script to synchronize sam and idmap databases

[AnrDaemon]

Need to write automatic script to fix idmap/sam #7 discrepacy. Fixing that shit by hands is error-prone and not really lead to anything good.

[AnrDaemon]

Ref: https://support.microsoft.com/en-us/kb/243330 There looks to be 3 major idmap blocks.

• Global SID's (S-1-5-X), like Authenticated Users (S-1-5-11);
• Built-in (like Administrators (S-1-5-32-544)) and default (Administrator (S-1-5-21-…-500)) SID's (RID 5xx);
• Custom SID's (S-1-5-21-…-XXXXX) - users and groups created by domain administrator.

Assuming custom SID's in range 30000+ (any sufficiently high range, in fact), the plan is to use 5xx range for 5xx SID's and let user choose range for global SID's. 1xxxx would probably work well.

[AnrDaemon]

The only default SID I know that doesn't fit the 5xx scheme is Enterprise Read-only Domain Controllers (S-1-5- 21-…-498). Given it is a Windows 2008 group and RODC's are not currently supported, it falls within the first category.

[AnrDaemon]

SAM is authoritative for remapping!