try to put every security descriptors related definitions in the same file.

also try to uniform names to a clean scheme.

first part.
(This used to be commit a123e05877caf90c28980be2d84b1d0b46e4fd21)

10 files changed, 327 insertions, 239 deletions

diff --git a/source3/include/rpc_samr.h b/source3/include/rpc_samr.h
index 6b537715b8..e1fa9c06bc 100644
--- a/source3/include/rpc_samr.h
+++ b/source3/include/rpc_samr.h
@@ -147,172 +147,6 @@ SamrTestPrivateFunctionsUser
 #define SAMR_SET_USERINFO      0x3A
 #define SAMR_CONNECT4          0x3E
 
-/* Access bits to the SAM-object */
-
-#define SAMR_ACCESS_UNKNOWN_1        0x00000001
-#define SAMR_ACCESS_SHUTDOWN_SERVER  0x00000002
-#define SAMR_ACCESS_UNKNOWN_4        0x00000004
-#define SAMR_ACCESS_UNKNOWN_8        0x00000008
-#define SAMR_ACCESS_ENUM_DOMAINS     0x00000010
-#define SAMR_ACCESS_OPEN_DOMAIN      0x00000020
-
-#define SAMR_ALL_ACCESS  ( STANDARD_RIGHTS_REQUIRED_ACCESS | \
-                           SAMR_ACCESS_OPEN_DOMAIN         | \
-			   SAMR_ACCESS_ENUM_DOMAINS        | \
-			   SAMR_ACCESS_UNKNOWN_8           | \
-			   SAMR_ACCESS_UNKNOWN_4           | \
-			   SAMR_ACCESS_SHUTDOWN_SERVER     | \
-			   SAMR_ACCESS_UNKNOWN_1 )
-			   
-#define SAMR_READ        ( STANDARD_RIGHTS_READ_ACCESS     | \
-                           SAMR_ACCESS_ENUM_DOMAINS )
-
-#define SAMR_WRITE       ( STANDARD_RIGHTS_WRITE_ACCESS    | \
-                           SAMR_ACCESS_UNKNOWN_8           | \
-			   SAMR_ACCESS_UNKNOWN_4           | \
-			   SAMR_ACCESS_SHUTDOWN_SERVER )
-
-#define SAMR_EXECUTE     ( STANDARD_RIGHTS_EXECUTE_ACCESS  | \
-                           SAMR_ACCESS_OPEN_DOMAIN         | \
-			   SAMR_ACCESS_UNKNOWN_1 )            
-
-/* Access bits to Domain-objects */
-  
-#define DOMAIN_ACCESS_LOOKUP_INFO_1        0x000000001
-#define DOMAIN_ACCESS_SET_INFO_1           0x000000002
-#define DOMAIN_ACCESS_LOOKUP_INFO_2        0x000000004
-#define DOMAIN_ACCESS_SET_INFO_2           0x000000008
-#define DOMAIN_ACCESS_CREATE_USER          0x000000010
-#define DOMAIN_ACCESS_CREATE_GROUP         0x000000020
-#define DOMAIN_ACCESS_CREATE_ALIAS         0x000000040
-#define DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM  0x000000080
-#define DOMAIN_ACCESS_ENUM_ACCOUNTS        0x000000100
-#define DOMAIN_ACCESS_OPEN_ACCOUNT         0x000000200
-#define DOMAIN_ACCESS_SET_INFO_3           0x000000400
- 
-#define DOMAIN_ALL_ACCESS  ( STANDARD_RIGHTS_REQUIRED_ACCESS   | \
-                             DOMAIN_ACCESS_SET_INFO_3          | \
- 			     DOMAIN_ACCESS_OPEN_ACCOUNT        | \
- 			     DOMAIN_ACCESS_ENUM_ACCOUNTS       | \
- 			     DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM | \
- 			     DOMAIN_ACCESS_CREATE_ALIAS        | \
- 			     DOMAIN_ACCESS_CREATE_GROUP        | \
- 			     DOMAIN_ACCESS_CREATE_USER         | \
- 			     DOMAIN_ACCESS_SET_INFO_2          | \
-			     DOMAIN_ACCESS_LOOKUP_INFO_2       | \
- 			     DOMAIN_ACCESS_SET_INFO_1          | \
-  			     DOMAIN_ACCESS_LOOKUP_INFO_1 )
-  			   
-#define DOMAIN_READ        ( STANDARD_RIGHTS_READ_ACCESS       | \
-                             DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM | \
-  			     DOMAIN_ACCESS_LOOKUP_INFO_2 )
-  
-#define DOMAIN_WRITE       ( STANDARD_RIGHTS_WRITE_ACCESS      | \
-                             DOMAIN_ACCESS_SET_INFO_3          | \
- 			     DOMAIN_ACCESS_CREATE_ALIAS        | \
- 			     DOMAIN_ACCESS_CREATE_GROUP        | \
- 			     DOMAIN_ACCESS_CREATE_USER         | \
- 			     DOMAIN_ACCESS_SET_INFO_2          | \
-  			     DOMAIN_ACCESS_SET_INFO_1 )
-  
-#define DOMAIN_EXECUTE     ( STANDARD_RIGHTS_EXECUTE_ACCESS    | \
-                             DOMAIN_ACCESS_OPEN_ACCOUNT        | \
- 			     DOMAIN_ACCESS_ENUM_ACCOUNTS       | \
-  			     DOMAIN_ACCESS_LOOKUP_INFO_1 )            
-  
-/* Access bits to User-objects */
-
-#define USER_ACCESS_GET_NAME_ETC     0x00000001
-#define USER_ACCESS_GET_LOCALE       0x00000002
-#define USER_ACCESS_SET_LOC_COM      0x00000004
-#define USER_ACCESS_GET_LOGONINFO    0x00000008
-#define USER_ACCESS_UNKNOWN_10       0x00000010
-#define USER_ACCESS_SET_ATTRIBUTES   0x00000020
-#define USER_ACCESS_CHANGE_PASSWORD  0x00000040
-#define USER_ACCESS_SET_PASSWORD     0x00000080
-#define USER_ACCESS_GET_GROUPS       0x00000100
-#define USER_ACCESS_UNKNOWN_200      0x00000200
-#define USER_ACCESS_UNKNOWN_400      0x00000400
-
-#define USER_ALL_ACCESS    ( STANDARD_RIGHTS_REQUIRED_ACCESS | \
-                             USER_ACCESS_UNKNOWN_400       | \
-			     USER_ACCESS_UNKNOWN_200       | \
-			     USER_ACCESS_GET_GROUPS        | \
-			     USER_ACCESS_SET_PASSWORD      | \
-			     USER_ACCESS_CHANGE_PASSWORD   | \
-			     USER_ACCESS_SET_ATTRIBUTES    | \
-			     USER_ACCESS_UNKNOWN_10        | \
-			     USER_ACCESS_GET_LOGONINFO     | \
-			     USER_ACCESS_SET_LOC_COM       | \
-			     USER_ACCESS_GET_LOCALE        | \
-			     USER_ACCESS_GET_NAME_ETC )
-			   
-#define USER_READ          ( STANDARD_RIGHTS_READ_ACCESS     | \
-                             USER_ACCESS_UNKNOWN_200         | \
-			     USER_ACCESS_GET_GROUPS          | \
-			     USER_ACCESS_UNKNOWN_10          | \
-			     USER_ACCESS_GET_LOGONINFO       | \
-			     USER_ACCESS_GET_LOCALE )
-
-#define USER_WRITE         ( STANDARD_RIGHTS_WRITE_ACCESS    | \
-                             USER_ACCESS_CHANGE_PASSWORD     | \
-			     USER_ACCESS_SET_LOC_COM )
-			     
-#define USER_EXECUTE       ( STANDARD_RIGHTS_EXECUTE_ACCESS  | \
-                             USER_ACCESS_CHANGE_PASSWORD     | \
-			     USER_ACCESS_GET_NAME_ETC )
-
-/* Access bits to Group-objects */
-
-#define GROUP_ACCESS_LOOKUP_INFO     0x00000001
-#define GROUP_ACCESS_SET_INFO        0x00000002
-#define GROUP_ACCESS_ADD_MEMBER      0x00000004
-#define GROUP_ACCESS_REMOVE_MEMBER   0x00000008
-#define GROUP_ACCESS_GET_MEMBERS     0x00000010
-
-#define GROUP_ALL_ACCESS   ( STANDARD_RIGHTS_REQUIRED_ACCESS | \
-                             GROUP_ACCESS_GET_MEMBERS        | \
-			     GROUP_ACCESS_REMOVE_MEMBER      | \
-			     GROUP_ACCESS_ADD_MEMBER         | \
-			     GROUP_ACCESS_SET_INFO           | \
-			     GROUP_ACCESS_LOOKUP_INFO )
-			   
-#define GROUP_READ         ( STANDARD_RIGHTS_READ_ACCESS     | \
-                             GROUP_ACCESS_GET_MEMBERS )
-
-#define GROUP_WRITE        ( STANDARD_RIGHTS_WRITE_ACCESS    | \
-                             GROUP_ACCESS_REMOVE_MEMBER      | \
-			     GROUP_ACCESS_ADD_MEMBER         | \
-			     GROUP_ACCESS_SET_INFO )
-			     
-#define GROUP_EXECUTE      ( STANDARD_RIGHTS_EXECUTE_ACCESS  | \
-                             GROUP_ACCESS_LOOKUP_INFO )
-			     
-/* Access bits to Alias-objects */
-
-#define ALIAS_ACCESS_ADD_MEMBER      0x00000001
-#define ALIAS_ACCESS_REMOVE_MEMBER   0x00000002
-#define ALIAS_ACCESS_GET_MEMBERS     0x00000004
-#define ALIAS_ACCESS_LOOKUP_INFO     0x00000008
-#define ALIAS_ACCESS_SET_INFO        0x00000010
-
-#define ALIAS_ALL_ACCESS   ( STANDARD_RIGHTS_REQUIRED_ACCESS | \
-                             ALIAS_ACCESS_GET_MEMBERS        | \
-			     ALIAS_ACCESS_REMOVE_MEMBER      | \
-			     ALIAS_ACCESS_ADD_MEMBER         | \
-			     ALIAS_ACCESS_SET_INFO           | \
-			     ALIAS_ACCESS_LOOKUP_INFO )
-			   
-#define ALIAS_READ         ( STANDARD_RIGHTS_READ_ACCESS     | \
-                             ALIAS_ACCESS_GET_MEMBERS )
-
-#define ALIAS_WRITE        ( STANDARD_RIGHTS_WRITE_ACCESS    | \
-                             ALIAS_ACCESS_REMOVE_MEMBER      | \
-			     ALIAS_ACCESS_ADD_MEMBER         | \
-			     ALIAS_ACCESS_SET_INFO )
-			     
-#define ALIAS_EXECUTE      ( STANDARD_RIGHTS_EXECUTE_ACCESS  | \
-                             ALIAS_ACCESS_LOOKUP_INFO )
 
 typedef struct _DISP_USER_INFO {
 	SAM_ACCOUNT *sam;
diff --git a/source3/include/rpc_secdes.h b/source3/include/rpc_secdes.h
index e51a5fd2f8..1bb25e8651 100644
--- a/source3/include/rpc_secdes.h
+++ b/source3/include/rpc_secdes.h
@@ -31,6 +31,7 @@
 #define SEC_RIGHTS_READ			0x00020019
 #define SEC_RIGHTS_FULL_CONTROL		0x000f003f
 #define SEC_RIGHTS_MAXIMUM_ALLOWED	0x02000000
+
 /* for ADS */
 #define	SEC_RIGHTS_LIST_CONTENTS	0x4
 #define SEC_RIGHTS_LIST_OBJECT		0x80
@@ -211,4 +212,250 @@ typedef struct standard_mapping {
 	uint32 std_all;
 } STANDARD_MAPPING;
 
+
+/* Security Access Masks Rights */
+
+#define SPECIFIC_RIGHTS_MASK	0x0000FFFF
+#define STANDARD_RIGHTS_MASK	0x00FF0000
+#define GENERIC_RIGHTS_MASK	0xF0000000
+
+#define SEC_RIGHT_SYSTEM_SECURITY	0x01000000
+#define SEC_RIGHT_MAXIMUM_ALLOWED	0x02000000
+
+/* Generic access rights */
+
+#define GENERIC_RIGHT_ALL_ACCESS	0x10000000
+#define GENERIC_RIGHT_EXECUTE_ACCESS	0x20000000
+#define GENERIC_RIGHT_WRITE_ACCESS	0x40000000
+#define GENERIC_RIGHT_READ_ACCESS	0x80000000
+
+/* Standard access rights. */
+
+#define STD_RIGHT_DELETE_ACCESS		0x00010000
+#define STD_RIGHT_READ_CONTROL_ACCESS	0x00020000
+#define STD_RIGHT_WRITE_DAC_ACCESS	0x00040000
+#define STD_RIGHT_WRITE_OWNER_ACCESS	0x00080000
+#define STD_RIGHT_SYNCHRONIZE_ACCESS	0x00100000
+
+#define STD_RIGHT_ALL_ACCESS		0x001F0000
+
+/* Combinations of standard masks. */
+#define STANDARD_RIGHTS_ALL_ACCESS	STD_RIGHT_ALL_ACCESS /* 0x001f0000 */
+#define STANDARD_RIGHTS_EXECUTE_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
+#define STANDARD_RIGHTS_READ_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
+#define STANDARD_RIGHTS_WRITE_ACCESS	STD_RIGHT_READ_CONTROL_ACCESS /* 0x00020000 */
+#define STANDARD_RIGHTS_REQUIRED_ACCESS \
+		(STD_RIGHT_DELETE_ACCESS	| \
+		STD_RIGHT_READ_CONTROL_ACCESS	| \
+		STD_RIGHT_WRITE_DAC_ACCESS	| \
+		STD_RIGHT_WRITE_OWNER_ACCESS)	/* 0x000f0000 */
+
+/* File Object specific access rights */
+
+#define SA_RIGHT_FILE_READ_DATA		0x00000001
+#define SA_RIGHT_FILE_WRITE_DATA	0x00000002
+#define SA_RIGHT_FILE_APPEND_DATA	0x00000004
+#define SA_RIGHT_FILE_READ_EA		0x00000008
+#define SA_RIGHT_FILE_WRITE_EA		0x00000010
+#define SA_RIGHT_FILE_EXECUTE		0x00000020
+#define SA_RIGHT_FILE_DELETE_CHILD	0x00000040
+#define SA_RIGHT_FILE_READ_ATTRIBUTES	0x00000080
+#define SA_RIGHT_FILE_WRITE_ATTRIBUTES	0x00000100
+
+#define SA_RIGHT_FILE_ALL_ACCESS	0x000001FF
+
+#define GENERIC_RIGHTS_FILE_ALL_ACCESS \
+		(STANDARD_RIGHTS_REQUIRED_ACCESS| \
+		STD_RIGHT_SYNCHRONIZE_ACCESS	| \
+		SA_RIGHT_FILE_ALL_ACCESS)
+
+#define GENERIC_RIGHTS_FILE_READ	\
+		(STANDARD_RIGHTS_READ_ACCESS	| \
+		STD_RIGHT_SYNCHRONIZE_ACCESS	| \
+		SA_RIGHT_FILE_READ_DATA		| \
+		SA_RIGHT_FILE_READ_ATTRIBUTES	| \
+		SA_RIGHT_FILE_READ_EA)
+
+#define GENERIC_RIGHTS_FILE_WRITE \
+		(STANDARD_RIGHTS_WRITE_ACCESS	| \
+		STD_RIGHT_SYNCHRONIZE_ACCESS	| \
+		SA_RIGHT_FILE_WRITE_DATA	| \
+		SA_RIGHT_FILE_WRITE_ATTRIBUTES	| \
+		SA_RIGHT_FILE_WRITE_EA		| \
+		SA_RIGHT_FILE_APPEND_DATA)
+
+#define GENERIC_RIGHTS_FILE_EXECUTE \
+		(STANDARD_RIGHTS_EXECUTE_ACCESS	| \
+		SA_RIGHT_FILE_READ_ATTRIBUTES	| \
+		SA_RIGHT_FILE_EXECUTE)            
+
+		
+/* SAM Object specific access rights */
+
+#define SA_RIGHT_SAM_UNKNOWN_1		0x00000001
+#define SA_RIGHT_SAM_SHUTDOWN_SERVER	0x00000002
+#define SA_RIGHT_SAM_UNKNOWN_4		0x00000004
+#define SA_RIGHT_SAM_UNKNOWN_8		0x00000008
+#define SA_RIGHT_SAM_ENUM_DOMAINS	0x00000010
+#define SA_RIGHT_SAM_OPEN_DOMAIN	0x00000020
+
+#define SA_RIGHT_SAM_ALL_ACCESS		0x0000003F
+
+#define GENERIC_RIGHTS_SAM_ALL_ACCESS \
+		(STANDARD_RIGHTS_REQUIRED_ACCESS| \
+		SA_RIGHT_SAM_ALL_ACCESS)
+
+#define GENERIC_RIGHTS_SAM_READ	\
+		(STANDARD_RIGHTS_READ_ACCESS	| \
+		SA_RIGHT_SAM_ENUM_DOMAINS)
+
+#define GENERIC_RIGHTS_SAM_WRITE \
+		(STANDARD_RIGHTS_WRITE_ACCESS	| \
+		SA_RIGHT_SAM_UNKNOWN_8		| \
+		SA_RIGHT_SAM_UNKNOWN_4		| \
+		SA_RIGHT_SAM_SHUTDOWN_SERVER)
+
+#define GENERIC_RIGHTS_SAM_EXECUTE \
+		(STANDARD_RIGHTS_EXECUTE_ACCESS	| \
+		SA_RIGHT_SAM_OPEN_DOMAIN	| \
+		SA_RIGHT_SAM_UNKNOWN_1)            
+
+
+/* Domain Object specific access rights */
+
+#define SA_RIGHT_DOMAIN_LOOKUP_INFO_1		0x00000001
+#define SA_RIGHT_DOMAIN_SET_INFO_1		0x00000002
+#define SA_RIGHT_DOMAIN_LOOKUP_INFO_2		0x00000004
+#define SA_RIGHT_DOMAIN_SET_INFO_2		0x00000008
+#define SA_RIGHT_DOMAIN_CREATE_USER		0x00000010
+#define SA_RIGHT_DOMAIN_CREATE_GROUP		0x00000020
+#define SA_RIGHT_DOMAIN_CREATE_ALIAS		0x00000040
+#define SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM	0x00000080
+#define SA_RIGHT_DOMAIN_ENUM_ACCOUNTS		0x00000100
+#define SA_RIGHT_DOMAIN_OPEN_ACCOUNT		0x00000200
+#define SA_RIGHT_DOMAIN_SET_INFO_3		0x00000400
+
+#define SA_RIGHT_DOMAIN_ALL_ACCESS		0x000007FF
+
+#define GENERIC_RIGHTS_DOMAIN_ALL_ACCESS \
+		(STANDARD_RIGHTS_REQUIRED_ACCESS| \
+		SA_RIGHT_DOMAIN_ALL_ACCESS)
+
+#define GENERIC_RIGHTS_DOMAIN_READ \
+		(STANDARD_RIGHTS_READ_ACCESS		| \
+		SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM	| \
+		SA_RIGHT_DOMAIN_LOOKUP_INFO_2)
+
+#define GENERIC_RIGHTS_DOMAIN_WRITE \
+		(STANDARD_RIGHTS_WRITE_ACCESS	| \
+		SA_RIGHT_DOMAIN_SET_INFO_3	| \
+		SA_RIGHT_DOMAIN_CREATE_ALIAS	| \
+		SA_RIGHT_DOMAIN_CREATE_GROUP	| \
+		SA_RIGHT_DOMAIN_CREATE_USER	| \
+		SA_RIGHT_DOMAIN_SET_INFO_2	| \
+		SA_RIGHT_DOMAIN_SET_INFO_1)
+
+#define GENERIC_RIGHTS_DOMAIN_EXECUTE \
+		(STANDARD_RIGHTS_EXECUTE_ACCESS	| \
+		SA_RIGHT_DOMAIN_OPEN_ACCOUNT	| \
+		SA_RIGHT_DOMAIN_ENUM_ACCOUNTS	| \
+		SA_RIGHT_DOMAIN_LOOKUP_INFO_1)            
+
+
+/* User Object specific access rights */
+
+#define SA_RIGHT_USER_GET_NAME_ETC	0x00000001
+#define SA_RIGHT_USER_GET_LOCALE	0x00000002
+#define SA_RIGHT_USER_SET_LOC_COM	0x00000004
+#define SA_RIGHT_USER_GET_LOGONINFO	0x00000008
+#define SA_RIGHT_USER_ACCT_FLAGS_EXPIRY	0x00000010
+#define SA_RIGHT_USER_SET_ATTRIBUTES	0x00000020
+#define SA_RIGHT_USER_CHANGE_PASSWORD	0x00000040
+#define SA_RIGHT_USER_SET_PASSWORD	0x00000080
+#define SA_RIGHT_USER_GET_GROUPS	0x00000100
+#define SA_RIGHT_USER_UNKNOWN_200	0x00000200
+#define SA_RIGHT_USER_UNKNOWN_400	0x00000400
+
+#define SA_RIGHT_USER_ALL_ACCESS	0x000007FF
+
+#define GENERIC_RIGHTS_USER_ALL_ACCESS \
+		(STANDARD_RIGHTS_REQUIRED_ACCESS| \
+		SA_RIGHT_USER_ALL_ACCESS)	/* 0x000f07ff */
+
+#define GENERIC_RIGHTS_USER_READ \
+		(STANDARD_RIGHTS_READ_ACCESS	| \
+		SA_RIGHT_USER_UNKNOWN_200	| \
+		SA_RIGHT_USER_GET_GROUPS	| \
+		SA_RIGHT_USER_ACCT_FLAGS_EXPIRY	| \
+		SA_RIGHT_USER_GET_LOGONINFO	| \
+		SA_RIGHT_USER_GET_LOCALE)	/* 0x0002031a */
+
+#define GENERIC_RIGHTS_USER_WRITE \
+		(STANDARD_RIGHTS_WRITE_ACCESS	| \
+		SA_RIGHT_USER_CHANGE_PASSWORD	| \
+		SA_RIGHT_USER_SET_LOC_COM)	/* 0x00020044 */
+
+#define GENERIC_RIGHTS_USER_EXECUTE \
+		(STANDARD_RIGHTS_EXECUTE_ACCESS	| \
+		SA_RIGHT_USER_CHANGE_PASSWORD	| \
+		SA_RIGHT_USER_GET_NAME_ETC )	/* 0x00020041 */
+
+
+/* Group Object specific access rights */
+
+#define SA_RIGHT_GROUP_LOOKUP_INFO	0x00000001
+#define SA_RIGHT_GROUP_SET_INFO		0x00000002
+#define SA_RIGHT_GROUP_ADD_MEMBER	0x00000004
+#define SA_RIGHT_GROUP_REMOVE_MEMBER	0x00000008
+#define SA_RIGHT_GROUP_GET_MEMBERS	0x00000010
+
+#define SA_RIGHT_GROUP_ALL_ACCESS	0x0000001F
+
+#define GENERIC_RIGHTS_GROUP_ALL_ACCESS \
+		(STANDARD_RIGHTS_REQUIRED_ACCESS| \
+		SA_RIGHT_GROUP_ALL_ACCESS)	/* 0x000f001f */
+
+#define GENERIC_RIGHTS_GROUP_READ \
+		(STANDARD_RIGHTS_READ_ACCESS	| \
+		SA_RIGHT_GROUP_GET_MEMBERS)	/* 0x00020010 */
+
+#define GENERIC_RIGHTS_GROUP_WRITE \
+		(STANDARD_RIGHTS_WRITE_ACCESS	| \
+		SA_RIGHT_GROUP_REMOVE_MEMBER	| \
+		SA_RIGHT_GROUP_ADD_MEMBER	| \
+		SA_RIGHT_GROUP_SET_INFO )	/* 0x0002000e */
+
+#define GENERIC_RIGHTS_GROUP_EXECUTE \
+		(STANDARD_RIGHTS_EXECUTE_ACCESS	| \
+		SA_RIGHT_GROUP_LOOKUP_INFO)	/* 0x00020001 */
+
+
+/* Alias Object specific access rights */
+
+#define SA_RIGHT_ALIAS_ADD_MEMBER	0x00000001
+#define SA_RIGHT_ALIAS_REMOVE_MEMBER	0x00000002
+#define SA_RIGHT_ALIAS_GET_MEMBERS	0x00000004
+#define SA_RIGHT_ALIAS_LOOKUP_INFO	0x00000008
+#define SA_RIGHT_ALIAS_SET_INFO		0x00000010
+
+#define SA_RIGHT_ALIAS_ALL_ACCESS 	0x0000001F
+
+#define GENERIC_RIGHTS_ALIAS_ALL_ACCESS \
+		(STANDARD_RIGHTS_REQUIRED_ACCESS| \
+		SA_RIGHT_ALIAS_ALL_ACCESS)	/* 0x000f001f */
+
+#define GENERIC_RIGHTS_ALIAS_READ \
+		(STANDARD_RIGHTS_READ_ACCESS	| \
+		SA_RIGHT_ALIAS_GET_MEMBERS )	/* 0x00020004 */
+
+#define GENERIC_RIGHTS_ALIAS_WRITE \
+		(STANDARD_RIGHTS_WRITE_ACCESS	| \
+		SA_RIGHT_ALIAS_REMOVE_MEMBER	| \
+		SA_RIGHT_ALIAS_ADD_MEMBER	| \
+		SA_RIGHT_ALIAS_SET_INFO )	/* 0x00020013 */
+
+#define GENERIC_RIGHTS_ALIAS_EXECUTE \
+		(STANDARD_RIGHTS_EXECUTE_ACCESS	| \
+		SA_RIGHT_ALIAS_LOOKUP_INFO )	/* 0x00020008 */
+
 #endif /* _RPC_SECDES_H */
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 7ce7599239..1694a8b0fc 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -1067,15 +1067,8 @@ struct bitmap {
 #define WRITE_OWNER_ACCESS   (1L<<19) /* 0x00080000 */
 #define SYNCHRONIZE_ACCESS   (1L<<20) /* 0x00100000 */
 
-/* Combinations of standard masks. */
-#define STANDARD_RIGHTS_ALL_ACCESS (DELETE_ACCESS|READ_CONTROL_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS|SYNCHRONIZE_ACCESS) /* 0x001f0000 */
-#define STANDARD_RIGHTS_EXECUTE_ACCESS (READ_CONTROL_ACCESS) /* 0x00020000 */
-#define STANDARD_RIGHTS_READ_ACCESS (READ_CONTROL_ACCESS) /* 0x00200000 */
-#define STANDARD_RIGHTS_REQUIRED_ACCESS (DELETE_ACCESS|READ_CONTROL_ACCESS|WRITE_DAC_ACCESS|WRITE_OWNER_ACCESS) /* 0x000f0000 */
-#define STANDARD_RIGHTS_WRITE_ACCESS (READ_CONTROL_ACCESS) /* 0x00020000 */
-
-#define SYSTEM_SECURITY_ACCESS (1L<<24)	          /* 0x01000000 */
-#define MAXIMUM_ALLOWED_ACCESS (1L<<25)	          /* 0x02000000 */
+#define SYSTEM_SECURITY_ACCESS (1L<<24)           /* 0x01000000 */
+#define MAXIMUM_ALLOWED_ACCESS (1L<<25)           /* 0x02000000 */
 #define GENERIC_ALL_ACCESS     (1<<28)            /* 0x10000000 */
 #define GENERIC_EXECUTE_ACCESS (1<<29)            /* 0x20000000 */
 #define GENERIC_WRITE_ACCESS   (1<<30)            /* 0x40000000 */
diff --git a/source3/lib/util_seaccess.c b/source3/lib/util_seaccess.c
index 456d7ba9e2..21d7fe8599 100644
--- a/source3/lib/util_seaccess.c
+++ b/source3/lib/util_seaccess.c
@@ -468,11 +468,11 @@ NTSTATUS samr_make_sam_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size)
 	sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
 
 	/*basic access for every one*/
-	init_sec_access(&mask, SAMR_EXECUTE | SAMR_READ);
+	init_sec_access(&mask, GENERIC_RIGHTS_SAM_EXECUTE | GENERIC_RIGHTS_SAM_READ);
 	init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 
 	/*full access for builtin aliases Administrators and Account Operators*/
-	init_sec_access(&mask, SAMR_ALL_ACCESS);
+	init_sec_access(&mask, GENERIC_RIGHTS_SAM_ALL_ACCESS);
 	init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 	init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index 1439471f64..c5b4a143ea 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -5,6 +5,7 @@
    Copyright (C) Luke Kenneth Caseson Leighton 	1998-1999
    Copyright (C) Jeremy Allison  		1999
    Copyright (C) Stefan (metze) Metzmacher 	2002
+   Copyright (C) Simo Sorce 			2002
       
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -37,16 +38,23 @@ DOM_SID global_sid_NT_Authority;    		/* NT Authority */
 DOM_SID global_sid_System;    		/* System */
 DOM_SID global_sid_NULL;            		/* NULL sid */
 DOM_SID global_sid_Authenticated_Users;		/* All authenticated rids */
-DOM_SID global_sid_Network;					/* Network rids */
+DOM_SID global_sid_Network;			/* Network rids */
 
-static DOM_SID global_sid_Creator_Owner;    		/* Creator Owner */
-static DOM_SID global_sid_Creator_Group;              /* Creator Group */
-static DOM_SID global_sid_Anonymous;				/* Anonymous login */
+static DOM_SID global_sid_Creator_Owner;	/* Creator Owner */
+static DOM_SID global_sid_Creator_Group;	/* Creator Group */
+static DOM_SID global_sid_Anonymous;		/* Anonymous login */
+
+DOM_SID global_sid_Builtin; 			/* Local well-known domain */
+DOM_SID global_sid_Builtin_Administrators;	/* Builtin administrators */
+DOM_SID global_sid_Builtin_Users;		/* Builtin users */
+DOM_SID global_sid_Builtin_Guests;		/* Builtin guest users */
+DOM_SID global_sid_Builtin_Power_Users;		/* Builtin power users */
+DOM_SID global_sid_Builtin_Account_Operators;	/* Builtin account operators */
+DOM_SID global_sid_Builtin_Server_Operators;	/* Builtin server operators */
+DOM_SID global_sid_Builtin_Print_Operators;	/* Builtin print operators */
+DOM_SID global_sid_Builtin_Backup_Operators;	/* Builtin backup operators */
+DOM_SID global_sid_Builtin_Replicator;		/* Builtin replicator */
 
-DOM_SID global_sid_Builtin; 				/* Local well-known domain */
-DOM_SID global_sid_Builtin_Administrators;
-DOM_SID global_sid_Builtin_Users;
-DOM_SID global_sid_Builtin_Guests;			/* Builtin guest users */
 
 /*
  * An NT compatible anonymous token.
@@ -112,10 +120,6 @@ void generate_wellknown_sids(void)
 	if (initialised) 
 		return;
 
-	string_to_sid(&global_sid_Builtin, "S-1-5-32");
-	string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544");
-	string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545");
-	string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546");
 	string_to_sid(&global_sid_World_Domain, "S-1-1");
 	string_to_sid(&global_sid_World, "S-1-1-0");
 	string_to_sid(&global_sid_Creator_Owner_Domain, "S-1-3");
@@ -128,6 +132,18 @@ void generate_wellknown_sids(void)
 	string_to_sid(&global_sid_Network, "S-1-5-2");
 	string_to_sid(&global_sid_Anonymous, "S-1-5-7");
 
+	/* create well known builtin SIDs */
+	string_to_sid(&global_sid_Builtin, "S-1-5-32");
+	string_to_sid(&global_sid_Builtin_Administrators, "S-1-5-32-544");
+	string_to_sid(&global_sid_Builtin_Users, "S-1-5-32-545");
+	string_to_sid(&global_sid_Builtin_Guests, "S-1-5-32-546");
+	string_to_sid(&global_sid_Builtin_Power_Users, "S-1-5-32-547");
+	string_to_sid(&global_sid_Builtin_Account_Operators, "S-1-5-32-548");
+	string_to_sid(&global_sid_Builtin_Server_Operators, "S-1-5-32-549");
+	string_to_sid(&global_sid_Builtin_Print_Operators, "S-1-5-32-550");
+	string_to_sid(&global_sid_Builtin_Backup_Operators, "S-1-5-32-551");
+	string_to_sid(&global_sid_Builtin_Replicator, "S-1-5-32-552");
+
 	/* Create the anon token. */
 	sid_copy( &anonymous_token.user_sids[0], &global_sid_World);
 	sid_copy( &anonymous_token.user_sids[1], &global_sid_Network);
diff --git a/source3/rpc_server/srv_reg_nt.c b/source3/rpc_server/srv_reg_nt.c
index f96de7e533..7435bdb6f7 100644
--- a/source3/rpc_server/srv_reg_nt.c
+++ b/source3/rpc_server/srv_reg_nt.c
@@ -131,7 +131,6 @@ static NTSTATUS open_registry_key(pipes_struct *p, POLICY_HND *hnd, REGISTRY_KEY
 	if ( fetch_reg_keys( regkey, &subkeys ) == -1 )  {
 	
 		/* don't really know what to return here */
-		
 		result = NT_STATUS_NO_SUCH_FILE;
 	}
 	else {
diff --git a/source3/rpc_server/srv_samr.c b/source3/rpc_server/srv_samr.c
index bc3b8970d6..ab3d94cf75 100644
--- a/source3/rpc_server/srv_samr.c
+++ b/source3/rpc_server/srv_samr.c
@@ -155,7 +155,6 @@ static BOOL api_samr_set_sec_obj(pipes_struct *p)
 		return False;
 	}
 	
-	
 	return True;
 }
 
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 020a3c6aaf..3073ca8f75 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -64,11 +64,11 @@ struct samr_info {
 	TALLOC_CTX *mem_ctx;
 };
 
-struct generic_mapping sam_generic_mapping = {SAMR_READ, SAMR_WRITE, SAMR_EXECUTE, SAMR_ALL_ACCESS};
-struct generic_mapping dom_generic_mapping = {DOMAIN_READ, DOMAIN_WRITE, DOMAIN_EXECUTE, DOMAIN_ALL_ACCESS};
-struct generic_mapping usr_generic_mapping = {USER_READ, USER_WRITE, USER_EXECUTE, USER_ALL_ACCESS};
-struct generic_mapping grp_generic_mapping = {GROUP_READ, GROUP_WRITE, GROUP_EXECUTE, GROUP_ALL_ACCESS};
-struct generic_mapping ali_generic_mapping = {ALIAS_READ, ALIAS_WRITE, ALIAS_EXECUTE, ALIAS_ALL_ACCESS};
+struct generic_mapping sam_generic_mapping = {GENERIC_RIGHTS_SAM_READ, GENERIC_RIGHTS_SAM_WRITE, GENERIC_RIGHTS_SAM_EXECUTE, GENERIC_RIGHTS_SAM_ALL_ACCESS};
+struct generic_mapping dom_generic_mapping = {GENERIC_RIGHTS_DOMAIN_READ, GENERIC_RIGHTS_DOMAIN_WRITE, GENERIC_RIGHTS_DOMAIN_EXECUTE, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS};
+struct generic_mapping usr_generic_mapping = {GENERIC_RIGHTS_USER_READ, GENERIC_RIGHTS_USER_WRITE, GENERIC_RIGHTS_USER_EXECUTE, GENERIC_RIGHTS_USER_ALL_ACCESS};
+struct generic_mapping grp_generic_mapping = {GENERIC_RIGHTS_GROUP_READ, GENERIC_RIGHTS_GROUP_WRITE, GENERIC_RIGHTS_GROUP_EXECUTE, GENERIC_RIGHTS_GROUP_ALL_ACCESS};
+struct generic_mapping ali_generic_mapping = {GENERIC_RIGHTS_ALIAS_READ, GENERIC_RIGHTS_ALIAS_WRITE, GENERIC_RIGHTS_ALIAS_EXECUTE, GENERIC_RIGHTS_ALIAS_ALL_ACCESS};
 
 static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd_size);
 
@@ -375,7 +375,7 @@ NTSTATUS _samr_open_domain(pipes_struct *p, SAMR_Q_OPEN_DOMAIN *q_u, SAMR_R_OPEN
 	if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!NT_STATUS_IS_OK(status = access_check_samr_function(info->acc_granted, SAMR_ACCESS_OPEN_DOMAIN,"_samr_open_domain"))) {
+	if (!NT_STATUS_IS_OK(status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN,"_samr_open_domain"))) {
 		return status;
 	}
 
@@ -454,11 +454,11 @@ static NTSTATUS samr_make_dom_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd
 	sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
 
 	/*basic access for every one*/
-	init_sec_access(&mask, DOMAIN_EXECUTE | DOMAIN_READ);
+	init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_EXECUTE | GENERIC_RIGHTS_DOMAIN_READ);
 	init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 
 	/*full access for builtin aliases Administrators and Account Operators*/
-	init_sec_access(&mask, DOMAIN_ALL_ACCESS);
+	init_sec_access(&mask, GENERIC_RIGHTS_DOMAIN_ALL_ACCESS);
 	init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 	init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 
@@ -493,16 +493,16 @@ static NTSTATUS samr_make_usr_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd
 	sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
 
 	/*basic access for every one*/
-	init_sec_access(&mask, USER_EXECUTE | USER_READ);
+	init_sec_access(&mask, GENERIC_RIGHTS_USER_EXECUTE | GENERIC_RIGHTS_USER_READ);
 	init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 
 	/*full access for builtin aliases Administrators and Account Operators*/
-	init_sec_access(&mask, USER_ALL_ACCESS);
+	init_sec_access(&mask, GENERIC_RIGHTS_USER_ALL_ACCESS);
 	init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 	init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 
 	/*extended access for the user*/
-	init_sec_access(&mask,READ_CONTROL_ACCESS | USER_ACCESS_CHANGE_PASSWORD | USER_ACCESS_SET_LOC_COM);
+	init_sec_access(&mask,READ_CONTROL_ACCESS | SA_RIGHT_USER_CHANGE_PASSWORD | SA_RIGHT_USER_SET_LOC_COM);
 	init_sec_ace(&ace[3], usr_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 
 	if ((psa = make_sec_acl(ctx, NT4_ACL_REVISION, 4, ace)) == NULL)
@@ -536,11 +536,11 @@ static NTSTATUS samr_make_grp_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd
 	sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
 
 	/*basic access for every one*/
-	init_sec_access(&mask, GROUP_EXECUTE | GROUP_READ);
+	init_sec_access(&mask, GENERIC_RIGHTS_GROUP_EXECUTE | GENERIC_RIGHTS_GROUP_READ);
 	init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 
 	/*full access for builtin aliases Administrators and Account Operators*/
-	init_sec_access(&mask, GROUP_ALL_ACCESS);
+	init_sec_access(&mask, GENERIC_RIGHTS_GROUP_ALL_ACCESS);
 	init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 	init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 
@@ -575,11 +575,11 @@ static NTSTATUS samr_make_ali_obj_sd(TALLOC_CTX *ctx, SEC_DESC **psd, size_t *sd
 	sid_append_rid(&act_sid, BUILTIN_ALIAS_RID_ACCOUNT_OPS);
 
 	/*basic access for every one*/
-	init_sec_access(&mask, ALIAS_EXECUTE | ALIAS_READ);
+	init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_EXECUTE | GENERIC_RIGHTS_ALIAS_READ);
 	init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 
 	/*full access for builtin aliases Administrators and Account Operators*/
-	init_sec_access(&mask, ALIAS_ALL_ACCESS);
+	init_sec_access(&mask, GENERIC_RIGHTS_ALIAS_ALL_ACCESS);
 	init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 	init_sec_ace(&ace[2], &act_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 
@@ -765,7 +765,7 @@ NTSTATUS _samr_enum_dom_users(pipes_struct *p, SAMR_Q_ENUM_DOM_USERS *q_u,
 	domain_sid = info->sid;
 
  	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, 
-					DOMAIN_ACCESS_ENUM_ACCOUNTS, 
+					SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, 
 					"_samr_enum_dom_users"))) {
  		return r_u->status;
 	}
@@ -1058,7 +1058,7 @@ NTSTATUS _samr_enum_dom_groups(pipes_struct *p, SAMR_Q_ENUM_DOM_GROUPS *q_u, SAM
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
 		
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_ENUM_ACCOUNTS, "_samr_enum_dom_groups"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_groups"))) {
 		return r_u->status;
 	}
 
@@ -1097,7 +1097,7 @@ NTSTATUS _samr_enum_dom_aliases(pipes_struct *p, SAMR_Q_ENUM_DOM_ALIASES *q_u, S
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_ENUM_ACCOUNTS, "_samr_enum_dom_aliases"))) {
 		return r_u->status;
 	}
 	
@@ -1320,7 +1320,7 @@ NTSTATUS _samr_query_aliasinfo(pipes_struct *p, SAMR_Q_QUERY_ALIASINFO *q_u, SAM
 	/* find the policy handle.  open a policy on it. */
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_LOOKUP_INFO, "_samr_query_aliasinfo"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_LOOKUP_INFO, "_samr_query_aliasinfo"))) {
 		return r_u->status;
 	}
 
@@ -1667,7 +1667,7 @@ NTSTATUS _api_samr_open_user(pipes_struct *p, SAMR_Q_OPEN_USER *q_u, SAMR_R_OPEN
 	if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_open_user"))) {
+	if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_user"))) {
 		return nt_status;
 	}
 
@@ -2008,7 +2008,7 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, USER_ACCESS_GET_GROUPS, "_samr_query_usergroups"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_USER_GET_GROUPS, "_samr_query_usergroups"))) {
 		return r_u->status;
 	}
 
@@ -2194,7 +2194,7 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_
 	if (!get_lsa_policy_samr_sid(p, &dom_pol, &sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_CREATE_USER, "_samr_create_user"))) {
+	if (!NT_STATUS_IS_OK(nt_status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_USER, "_samr_create_user"))) {
 		return nt_status;
 	}
 
@@ -2496,7 +2496,7 @@ NTSTATUS _samr_lookup_domain(pipes_struct *p, SAMR_Q_LOOKUP_DOMAIN *q_u, SAMR_R_
 	if (!find_policy_by_hnd(p, &q_u->connect_pol, (void**)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SAMR_ACCESS_OPEN_DOMAIN, "_samr_lookup_domain"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_OPEN_DOMAIN, "_samr_lookup_domain"))) {
 		return r_u->status;
 	}
 
@@ -2569,7 +2569,7 @@ NTSTATUS _samr_enum_domains(pipes_struct *p, SAMR_Q_ENUM_DOMAINS *q_u, SAMR_R_EN
 	if (!find_policy_by_hnd(p, &q_u->pol, (void**)&info))
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SAMR_ACCESS_ENUM_DOMAINS, "_samr_enum_domains"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, SA_RIGHT_SAM_ENUM_DOMAINS, "_samr_enum_domains"))) {
 		return r_u->status;
 	}
 
@@ -2617,7 +2617,7 @@ NTSTATUS _api_samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OP
 	if (!get_lsa_policy_samr_sid(p, &domain_pol, &sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
 		
-	if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_open_alias"))) {
+	if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_alias"))) {
 		return status;
 	}
 
@@ -2928,7 +2928,7 @@ NTSTATUS _samr_set_userinfo(pipes_struct *p, SAMR_Q_SET_USERINFO *q_u, SAMR_R_SE
 	if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
 	
-	acc_required = USER_ACCESS_SET_LOC_COM | USER_ACCESS_SET_ATTRIBUTES; /* This is probably wrong */	
+	acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */	
 	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo"))) {
 		return r_u->status;
 	}
@@ -3013,7 +3013,7 @@ NTSTATUS _samr_set_userinfo2(pipes_struct *p, SAMR_Q_SET_USERINFO2 *q_u, SAMR_R_
 	if (!get_lsa_policy_samr_sid(p, pol, &sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
 	
-	acc_required = USER_ACCESS_SET_LOC_COM | USER_ACCESS_SET_ATTRIBUTES; /* This is probably wrong */	
+	acc_required = SA_RIGHT_USER_SET_LOC_COM | SA_RIGHT_USER_SET_ATTRIBUTES; /* This is probably wrong */	
 	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, acc_required, "_samr_set_userinfo2"))) {
 		return r_u->status;
 	}
@@ -3088,8 +3088,8 @@ NTSTATUS _samr_query_useraliases(pipes_struct *p, SAMR_Q_QUERY_USERALIASES *q_u,
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 		
-	ntstatus1 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases");
-	ntstatus2 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_query_useraliases");
+	ntstatus1 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases");
+	ntstatus2 = access_check_samr_function(info->acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_query_useraliases");
 	
 	if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
 		if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
@@ -3168,7 +3168,7 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_
 		return NT_STATUS_INVALID_HANDLE;
 	
 	if (!NT_STATUS_IS_OK(r_u->status = 
-		access_check_samr_function(acc_granted, ALIAS_ACCESS_GET_MEMBERS, "_samr_query_aliasmem"))) {
+		access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_GET_MEMBERS, "_samr_query_aliasmem"))) {
 		return r_u->status;
 	}
 		
@@ -3269,7 +3269,7 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_
 	if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted)) 
 		return NT_STATUS_INVALID_HANDLE;
 		
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_GET_MEMBERS, "_samr_query_groupmem"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_GET_MEMBERS, "_samr_query_groupmem"))) {
 		return r_u->status;
 	}
 		
@@ -3361,7 +3361,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD
 	if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) 
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_ADD_MEMBER, "_samr_add_aliasmem"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_ADD_MEMBER, "_samr_add_aliasmem"))) {
 		return r_u->status;
 	}
 		
@@ -3449,7 +3449,7 @@ NTSTATUS _samr_del_aliasmem(pipes_struct *p, SAMR_Q_DEL_ALIASMEM *q_u, SAMR_R_DE
 	if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) 
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_REMOVE_MEMBER, "_samr_del_aliasmem"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_REMOVE_MEMBER, "_samr_del_aliasmem"))) {
 		return r_u->status;
 	}
 	
@@ -3520,7 +3520,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) 
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_ADD_MEMBER, "_samr_add_groupmem"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_ADD_MEMBER, "_samr_add_groupmem"))) {
 		return r_u->status;
 	}
 
@@ -3612,7 +3612,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) 
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_REMOVE_MEMBER, "_samr_del_groupmem"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_REMOVE_MEMBER, "_samr_del_groupmem"))) {
 		return r_u->status;
 	}
 		
@@ -3692,7 +3692,7 @@ NTSTATUS _samr_delete_dom_user(pipes_struct *p, SAMR_Q_DELETE_DOM_USER *q_u, SAM
 	if (!get_lsa_policy_samr_sid(p, &q_u->user_pol, &user_sid, &acc_granted)) 
 		return NT_STATUS_INVALID_HANDLE;
 		
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DELETE_ACCESS, "_samr_delete_dom_user"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_user"))) {
 		return r_u->status;
 	}
 		
@@ -3751,7 +3751,7 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S
 	if (!get_lsa_policy_samr_sid(p, &q_u->group_pol, &group_sid, &acc_granted)) 
 		return NT_STATUS_INVALID_HANDLE;
 		
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DELETE_ACCESS, "_samr_delete_dom_group"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_group"))) {
 		return r_u->status;
 	}
 		
@@ -3813,7 +3813,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S
 	if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) 
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DELETE_ACCESS, "_samr_delete_dom_alias"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, STD_RIGHT_DELETE_ACCESS, "_samr_delete_dom_alias"))) {
 		return r_u->status;
 	}
 		
@@ -3876,7 +3876,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid, &acc_granted)) 
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_CREATE_GROUP, "_samr_create_dom_group"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_GROUP, "_samr_create_dom_group"))) {
 		return r_u->status;
 	}
 		
@@ -3941,7 +3941,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S
 	if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid, &acc_granted)) 
 		return NT_STATUS_INVALID_HANDLE;
 		
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_CREATE_ALIAS, "_samr_create_alias"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_CREATE_ALIAS, "_samr_create_alias"))) {
 		return r_u->status;
 	}
 		
@@ -4003,7 +4003,7 @@ NTSTATUS _samr_query_groupinfo(pipes_struct *p, SAMR_Q_QUERY_GROUPINFO *q_u, SAM
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted)) 
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_LOOKUP_INFO, "_samr_query_groupinfo"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_LOOKUP_INFO, "_samr_query_groupinfo"))) {
 		return r_u->status;
 	}
 		
@@ -4055,7 +4055,7 @@ NTSTATUS _samr_set_groupinfo(pipes_struct *p, SAMR_Q_SET_GROUPINFO *q_u, SAMR_R_
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &group_sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, GROUP_ACCESS_SET_INFO, "_samr_set_groupinfo"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_GROUP_SET_INFO, "_samr_set_groupinfo"))) {
 		return r_u->status;
 	}
 		
@@ -4102,7 +4102,7 @@ NTSTATUS _samr_set_aliasinfo(pipes_struct *p, SAMR_Q_SET_ALIASINFO *q_u, SAMR_R_
 	if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &group_sid, &acc_granted))
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_SET_INFO, "_samr_set_aliasinfo"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, SA_RIGHT_ALIAS_SET_INFO, "_samr_set_aliasinfo"))) {
 		return r_u->status;
 	}
 		
@@ -4171,7 +4171,7 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G
 	if (!get_lsa_policy_samr_sid(p, &q_u->domain_pol, &sid, &acc_granted)) 
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_open_group"))) {
+	if (!NT_STATUS_IS_OK(status = access_check_samr_function(acc_granted, SA_RIGHT_DOMAIN_OPEN_ACCOUNT, "_samr_open_group"))) {
 		return status;
 	}
 		
diff --git a/source3/sam/interface.c b/source3/sam/interface.c
index 4f5e565d2e..d08df42122 100644
--- a/source3/sam/interface.c
+++ b/source3/sam/interface.c
@@ -639,7 +639,7 @@ NTSTATUS sam_enum_domains(const SAM_CONTEXT *context, const NT_USER_TOKEN *acces
 		return nt_status;
 	}
 
-	if (!se_access_check(sd, access_token, SAMR_ACCESS_ENUM_DOMAINS, &acc_granted, &nt_status)) {
+	if (!se_access_check(sd, access_token, SA_RIGHT_SAM_ENUM_DOMAINS, &acc_granted, &nt_status)) {
 		DEBUG(3,("sam_enum_domains: ACCESS DENIED\n"));
 			return nt_status;
 	}
@@ -699,7 +699,7 @@ NTSTATUS sam_lookup_domain(const SAM_CONTEXT *context, const NT_USER_TOKEN *acce
 		return nt_status;
 	}
 
-	if (!se_access_check(sd, access_token, SAMR_ACCESS_OPEN_DOMAIN, &acc_granted, &nt_status)) {
+	if (!se_access_check(sd, access_token, SA_RIGHT_SAM_OPEN_DOMAIN, &acc_granted, &nt_status)) {
 		DEBUG(3,("sam_lookup_domain: ACCESS DENIED\n"));
 			return nt_status;
 	}
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 06538797e2..ae1e8dbbac 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -2014,7 +2014,7 @@ static int rpc_trustdom_list(int argc, const char **argv)
 	};
 	
 	/* SamrConnect */
-	nt_status = cli_samr_connect(cli, mem_ctx, SAMR_ACCESS_OPEN_DOMAIN,
+	nt_status = cli_samr_connect(cli, mem_ctx, SA_RIGHT_SAM_OPEN_DOMAIN,
 								 &connect_hnd);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("Couldn't open SAMR policy handle. Error was %s\n",
@@ -2025,7 +2025,7 @@ static int rpc_trustdom_list(int argc, const char **argv)
 	/* SamrOpenDomain - we have to open domain policy handle in order to be
 	   able to enumerate accounts*/
 	nt_status = cli_samr_open_domain(cli, mem_ctx, &connect_hnd,
-									 DOMAIN_ACCESS_ENUM_ACCOUNTS,
+									 SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
 									 &queried_dom_sid, &domain_hnd);									 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("Couldn't open domain object. Error was %s\n",