17 files changed, 47 insertions, 76 deletions
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 850ccae980b..72edf0eed15 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -677,8 +677,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
 	if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, base->rid)) {
 		return NT_STATUS_INVALID_PARAMETER;
 	}
-	user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs
-		= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS;
 
 	user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid = *base->domain_sid;
 	if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, base->primary_gid)) {
@@ -690,8 +689,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
 	 * group in the first place, and besides, these attributes will never
 	 * make their way into a PAC.
 	 */
-	user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].attrs
-		= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS;
 
 	for (i = 0; i < base->groups.count; i++) {
 		/* Skip primary group, already added above */
diff --git a/auth/wbc_auth_util.c b/auth/wbc_auth_util.c
index 52573e2a773..311052c9108 100644
--- a/auth/wbc_auth_util.c
+++ b/auth/wbc_auth_util.c
@@ -50,9 +50,7 @@ static NTSTATUS wbcsids_to_samr_RidWithAttributeArray(
 					&groups->rids[j].rid);
 		if (!ok) continue;
 
-		groups->rids[j].attributes = SE_GROUP_MANDATORY |
-					     SE_GROUP_ENABLED_BY_DEFAULT |
-					     SE_GROUP_ENABLED;
+		groups->rids[j].attributes = SE_GROUP_DEFAULT_FLAGS;
 		j++;
 	}
 
@@ -91,9 +89,7 @@ static NTSTATUS wbcsids_to_netr_SidAttrArray(
 			talloc_free(info3_sids);
 			return NT_STATUS_NO_MEMORY;
 		}
-		info3_sids[j].attributes = SE_GROUP_MANDATORY |
-					   SE_GROUP_ENABLED_BY_DEFAULT |
-					   SE_GROUP_ENABLED;
+		info3_sids[j].attributes = SE_GROUP_DEFAULT_FLAGS;
 		j++;
 	}
 
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 3d2c8a33903..05c40618a10 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -665,6 +665,11 @@ interface security
 		SE_GROUP_LOGON_ID		= 0xC0000000
 	} security_GroupAttrs;
 
+	const uint32 SE_GROUP_DEFAULT_FLAGS =
+		SE_GROUP_MANDATORY |
+		SE_GROUP_ENABLED_BY_DEFAULT |
+		SE_GROUP_ENABLED;
+
 	/* This is not yet sent over the network, but is simply defined in IDL */
 	typedef [public] struct {
 		uint32 num_sids;
diff --git a/python/samba/tests/krb5/group_tests.py b/python/samba/tests/krb5/group_tests.py
index 6d84d3a2522..b4075175113 100755
--- a/python/samba/tests/krb5/group_tests.py
+++ b/python/samba/tests/krb5/group_tests.py
@@ -75,9 +75,7 @@ class GroupTests(KDCBaseTest):
     trust_user = object()
 
     # Constants for group SID attributes.
-    default_attrs = (security.SE_GROUP_MANDATORY |
-                     security.SE_GROUP_ENABLED_BY_DEFAULT |
-                     security.SE_GROUP_ENABLED)
+    default_attrs = security.SE_GROUP_DEFAULT_FLAGS
     resource_attrs = default_attrs | security.SE_GROUP_RESOURCE
 
     asserted_identity = security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY
diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py
index 3c94c11d607..52c6a7797c1 100755
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -61,9 +61,7 @@ global_hexdump = False
 
 class S4UKerberosTests(KDCBaseTest):
 
-    default_attrs = (security.SE_GROUP_MANDATORY |
-                     security.SE_GROUP_ENABLED_BY_DEFAULT |
-                     security.SE_GROUP_ENABLED)
+    default_attrs = security.SE_GROUP_DEFAULT_FLAGS
 
     def setUp(self):
         super(S4UKerberosTests, self).setUp()
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 3bc44315682..9fe407ee5e9 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -723,7 +723,7 @@ NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc,
 		    (uint32_t)uid);
 	status = add_sid_to_array_attrs_unique(user_info_dc->sids,
 					       &tmp_sid,
-					       SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED,
+					       SE_GROUP_DEFAULT_FLAGS,
 					       &user_info_dc->sids,
 					       &user_info_dc->num_sids);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -741,7 +741,7 @@ NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc,
 		    (uint32_t)gid);
 	status = add_sid_to_array_attrs_unique(user_info_dc->sids,
 					       &tmp_sid,
-					       SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED,
+					       SE_GROUP_DEFAULT_FLAGS,
 					       &user_info_dc->sids,
 					       &user_info_dc->num_sids);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -759,7 +759,7 @@ NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc,
 		    flags);
 	status = add_sid_to_array_attrs_unique(user_info_dc->sids,
 					       &tmp_sid,
-					       SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED,
+					       SE_GROUP_DEFAULT_FLAGS,
 					       &user_info_dc->sids,
 					       &user_info_dc->num_sids);
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index e5debd45b97..1eae63664cb 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -221,9 +221,7 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
 				    const struct dom_sid *sids,
 				    size_t num_sids)
 {
-	uint32_t attributes = SE_GROUP_MANDATORY |
-				SE_GROUP_ENABLED_BY_DEFAULT |
-				SE_GROUP_ENABLED;
+	uint32_t attributes = SE_GROUP_DEFAULT_FLAGS;
 	struct samr_RidWithAttributeArray *groups;
 	struct dom_sid *domain_sid;
 	unsigned int i;
diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
index 5f93d4287ad..17136ba8449 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -3360,8 +3360,7 @@ NTSTATUS _samr_GetGroupsForUser(struct pipes_struct *p,
 	gids = NULL;
 	num_gids = 0;
 
-	dom_gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
-			      SE_GROUP_ENABLED);
+	dom_gid.attributes = SE_GROUP_DEFAULT_FLAGS;
 	dom_gid.rid = primary_group_rid;
 	ADD_TO_ARRAY(p->mem_ctx, struct samr_RidWithAttribute, dom_gid, &gids, &num_gids);
 
@@ -6074,9 +6073,7 @@ NTSTATUS _samr_QueryGroupMember(struct pipes_struct *p,
 	}
 
 	for (i=0; i<num_members; i++) {
-		attr[i] = SE_GROUP_MANDATORY |
-			  SE_GROUP_ENABLED_BY_DEFAULT |
-			  SE_GROUP_ENABLED;
+		attr[i] = SE_GROUP_DEFAULT_FLAGS;
 	}
 
 	rids->count = num_members;
@@ -6597,9 +6594,7 @@ NTSTATUS _samr_QueryGroupInfo(struct pipes_struct *p,
 	GROUP_MAP *map;
 	union samr_GroupInfo *info = NULL;
 	bool ret;
-	uint32_t attributes = SE_GROUP_MANDATORY |
-			      SE_GROUP_ENABLED_BY_DEFAULT |
-			      SE_GROUP_ENABLED;
+	uint32_t attributes = SE_GROUP_DEFAULT_FLAGS;
 	const char *group_name = NULL;
 	const char *group_description = NULL;
 
diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c
index eb5826a3137..6ae3e444ffc 100644
--- a/source4/auth/ntlm/auth_developer.c
+++ b/source4/auth/ntlm/auth_developer.c
@@ -86,7 +86,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
 	NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
 
 	user_info_dc->sids->sid = global_sid_Anonymous;
-	user_info_dc->sids->attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	user_info_dc->sids->attrs = SE_GROUP_DEFAULT_FLAGS;
 
 	/* annoying, but the Anonymous really does have a session key, 
 	   and it is all zeros! */
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index c8469738e81..b9a4d834539 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -389,12 +389,10 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
 	}
 
 	sids[PRIMARY_USER_SID_INDEX].sid = *account_sid;
-	sids[PRIMARY_USER_SID_INDEX].attrs
-		= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	sids[PRIMARY_USER_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS;
 	sids[PRIMARY_GROUP_SID_INDEX].sid = *domain_sid;
 	sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX].sid, ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0));
-	sids[PRIMARY_GROUP_SID_INDEX].attrs
-		= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	sids[PRIMARY_GROUP_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS;
 
 	/*
 	 * Filter out builtin groups from this token. We will search
@@ -581,8 +579,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
 			return NT_STATUS_NO_MEMORY;
 		}
 		user_info_dc->sids[user_info_dc->num_sids].sid = global_sid_Enterprise_DCs;
-		user_info_dc->sids[user_info_dc->num_sids].attrs
-			= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+		user_info_dc->sids[user_info_dc->num_sids].attrs = SE_GROUP_DEFAULT_FLAGS;
 		user_info_dc->num_sids++;
 	}
 
@@ -600,8 +597,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
 		user_info_dc->sids[user_info_dc->num_sids].sid = *domain_sid;
 		sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid,
 			    DOMAIN_RID_ENTERPRISE_READONLY_DCS);
-		user_info_dc->sids[user_info_dc->num_sids].attrs
-			= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+		user_info_dc->sids[user_info_dc->num_sids].attrs = SE_GROUP_DEFAULT_FLAGS;
 		user_info_dc->num_sids++;
 	}
 
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 5905964ecfc..ed06efe70a8 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -136,11 +136,11 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 		}
 
 		sid_copy(&sids[num_sids].sid, &global_sid_World);
-		sids[num_sids].attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+		sids[num_sids].attrs = SE_GROUP_DEFAULT_FLAGS;
 		num_sids++;
 
 		sid_copy(&sids[num_sids].sid, &global_sid_Network);
-		sids[num_sids].attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+		sids[num_sids].attrs = SE_GROUP_DEFAULT_FLAGS;
 		num_sids++;
 	}
 
@@ -152,7 +152,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 		}
 
 		sid_copy(&sids[num_sids].sid, &global_sid_Authenticated_Users);
-		sids[num_sids].attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+		sids[num_sids].attrs = SE_GROUP_DEFAULT_FLAGS;
 		num_sids++;
 	}
 
@@ -167,7 +167,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 			TALLOC_FREE(tmp_ctx);
 			return NT_STATUS_INTERNAL_ERROR;
 		}
-		sids[num_sids].attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+		sids[num_sids].attrs = SE_GROUP_DEFAULT_FLAGS;
 		num_sids++;
 	}
 
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index ea692e16707..b6de6a140e3 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -129,7 +129,7 @@ NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
 	NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
 
 	user_info_dc->sids->sid = global_sid_System;
-	user_info_dc->sids->attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	user_info_dc->sids->attrs = SE_GROUP_DEFAULT_FLAGS;
 
 	/* annoying, but the Anonymous really does have a session key, 
 	   and it is all zeros! */
@@ -206,34 +206,27 @@ static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
 
 	user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid = *domain_sid;
 	sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, DOMAIN_RID_ADMINISTRATOR);
-	user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs
-		= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS;
 
 	user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid = *domain_sid;
 	sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, DOMAIN_RID_USERS);
-	user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].attrs
-		= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS;
 
 	user_info_dc->sids[2].sid = global_sid_Builtin_Administrators;
-	user_info_dc->sids[2].attrs
-		= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	user_info_dc->sids[2].attrs = SE_GROUP_DEFAULT_FLAGS;
 
 	user_info_dc->sids[3].sid = *domain_sid;
 	sid_append_rid(&user_info_dc->sids[3].sid, DOMAIN_RID_ADMINS);
-	user_info_dc->sids[3].attrs
-		= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	user_info_dc->sids[3].attrs = SE_GROUP_DEFAULT_FLAGS;
 	user_info_dc->sids[4].sid = *domain_sid;
 	sid_append_rid(&user_info_dc->sids[4].sid, DOMAIN_RID_ENTERPRISE_ADMINS);
-	user_info_dc->sids[4].attrs
-		= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	user_info_dc->sids[4].attrs = SE_GROUP_DEFAULT_FLAGS;
 	user_info_dc->sids[5].sid = *domain_sid;
 	sid_append_rid(&user_info_dc->sids[5].sid, DOMAIN_RID_POLICY_ADMINS);
-	user_info_dc->sids[5].attrs
-		= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	user_info_dc->sids[5].attrs = SE_GROUP_DEFAULT_FLAGS;
 	user_info_dc->sids[6].sid = *domain_sid;
 	sid_append_rid(&user_info_dc->sids[6].sid, DOMAIN_RID_SCHEMA_ADMINS);
-	user_info_dc->sids[6].attrs
-		= SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	user_info_dc->sids[6].attrs = SE_GROUP_DEFAULT_FLAGS;
 
 	/* What should the session key be?*/
 	user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
@@ -391,7 +384,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
 	NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
 
 	user_info_dc->sids->sid = global_sid_Anonymous;
-	user_info_dc->sids->attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	user_info_dc->sids->attrs = SE_GROUP_DEFAULT_FLAGS;
 
 	/* annoying, but the Anonymous really does have a session key... */
 	user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c
index 120015877a3..cf3d48bcfc8 100644
--- a/source4/dsdb/common/util_groups.c
+++ b/source4/dsdb/common/util_groups.c
@@ -177,7 +177,7 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
 		uint32_t sid_attrs;
 		bool already_there;
 
-		sid_attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+		sid_attrs = SE_GROUP_DEFAULT_FLAGS;
 		group_type = ldb_msg_find_attr_as_uint(res->msgs[0], "groupType", 0);
 		if (group_type & GROUP_TYPE_RESOURCE_GROUP) {
 			sid_attrs |= SE_GROUP_RESOURCE;
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index a4ef129c467..9ffa33b6b18 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -1226,7 +1226,7 @@ static int get_pso_for_user(struct ldb_module *module,
 		/* lookup the best PSO object, based on the user's SID */
 		user_sid = samdb_result_dom_sid_attrs(
 			tmp_ctx, user_msg, "objectSid",
-			SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED);
+			SE_GROUP_DEFAULT_FLAGS);
 
 		ret = pso_find_best(module, tmp_ctx, parent, user_sid, 1,
 				    &best_pso);
diff --git a/source4/dsdb/tests/python/token_group.py b/source4/dsdb/tests/python/token_group.py
index bc2c4c71350..2f81aab076f 100755
--- a/source4/dsdb/tests/python/token_group.py
+++ b/source4/dsdb/tests/python/token_group.py
@@ -642,7 +642,7 @@ class DynamicTokenTest(samba.tests.TestCase):
         rids = samr_conn.GetGroupsForUser(user_handle)
         samr_dns = set()
         for rid in rids.rids:
-            self.assertEqual(rid.attributes, security.SE_GROUP_MANDATORY | security.SE_GROUP_ENABLED_BY_DEFAULT | security.SE_GROUP_ENABLED)
+            self.assertEqual(rid.attributes, security.SE_GROUP_DEFAULT_FLAGS)
             sid = "%s-%d" % (domain_sid, rid.rid)
             res = self.admin_ldb.search(base="<SID=%s>" % sid, scope=ldb.SCOPE_BASE,
                                         attrs=[])
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 35e4bf4c248..d9c76ba3b1f 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -844,7 +844,7 @@ static NTSTATUS samba_add_asserted_identity(TALLOC_CTX *mem_ctx,
 	return add_sid_to_array_attrs_unique(
 		user_info_dc,
 		&ai_sid,
-		SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED,
+		SE_GROUP_DEFAULT_FLAGS,
 		&user_info_dc->sids,
 		&user_info_dc->num_sids);
 }
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index b1342cbfe84..2df9312fe31 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -2356,7 +2356,7 @@ static NTSTATUS dcesrv_samr_QueryGroupInfo(struct dcesrv_call_state *dce_call, T
 	switch (r->in.level) {
 	case GROUPINFOALL:
 		QUERY_STRING(msg, all.name,        "sAMAccountName");
-		info->all.attributes = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; /* Do like w2k3 */
+		info->all.attributes = SE_GROUP_DEFAULT_FLAGS; /* Do like w2k3 */
 		QUERY_UINT  (msg, all.num_members,      "numMembers")
 		QUERY_STRING(msg, all.description, "description");
 		break;
@@ -2364,14 +2364,14 @@ static NTSTATUS dcesrv_samr_QueryGroupInfo(struct dcesrv_call_state *dce_call, T
 		QUERY_STRING(msg, name,            "sAMAccountName");
 		break;
 	case GROUPINFOATTRIBUTES:
-		info->attributes.attributes = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; /* Do like w2k3 */
+		info->attributes.attributes = SE_GROUP_DEFAULT_FLAGS; /* Do like w2k3 */
 		break;
 	case GROUPINFODESCRIPTION:
 		QUERY_STRING(msg, description, "description");
 		break;
 	case GROUPINFOALL2:
 		QUERY_STRING(msg, all2.name,        "sAMAccountName");
-		info->all.attributes = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; /* Do like w2k3 */
+		info->all.attributes = SE_GROUP_DEFAULT_FLAGS; /* Do like w2k3 */
 		QUERY_UINT  (msg, all2.num_members,      "numMembers")
 		QUERY_STRING(msg, all2.description, "description");
 		break;
@@ -2676,9 +2676,7 @@ static NTSTATUS dcesrv_samr_QueryGroupMember(struct dcesrv_call_state *dce_call,
 			return status;
 		}
 
-		array->attributes[array->count] = SE_GROUP_MANDATORY |
-						  SE_GROUP_ENABLED_BY_DEFAULT |
-						  SE_GROUP_ENABLED;
+		array->attributes[array->count] = SE_GROUP_DEFAULT_FLAGS;
 		array->count++;
 	}
 
@@ -4437,8 +4435,7 @@ static NTSTATUS dcesrv_samr_GetGroupsForUser(struct dcesrv_call_state *dce_call,
 	/* Adds the primary group */
 
 	array->rids[0].rid = primary_group_id;
-	array->rids[0].attributes = SE_GROUP_MANDATORY
-		| SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+	array->rids[0].attributes = SE_GROUP_DEFAULT_FLAGS;
 	array->count += 1;
 
 	/* Adds the additional groups */
@@ -4454,8 +4451,7 @@ static NTSTATUS dcesrv_samr_GetGroupsForUser(struct dcesrv_call_state *dce_call,
 
 		array->rids[i + 1].rid =
 			group_sid->sub_auths[group_sid->num_auths-1];
-		array->rids[i + 1].attributes = SE_GROUP_MANDATORY
-			| SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+		array->rids[i + 1].attributes = SE_GROUP_DEFAULT_FLAGS;
 		array->count += 1;
 	}
 
@@ -4740,9 +4736,7 @@ static NTSTATUS dcesrv_samr_QueryDisplayInfo(struct dcesrv_call_state *dce_call,
 			/*
 			 * We get a "7" here for groups
 			 */
-			entriesFullGroup[count].acct_flags =
-			    SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
-			    SE_GROUP_ENABLED;
+			entriesFullGroup[count].acct_flags = SE_GROUP_DEFAULT_FLAGS;
 			entriesFullGroup[count].account_name.string =
 			    ldb_msg_find_attr_as_string(
 				rec->msgs[0], "sAMAccountName", "");