diff --git a/source/include/smb.h b/source/include/smb.h
index 3f2f223..ed1d049 100644
--- a/source/include/smb.h
+++ b/source/include/smb.h
@@ -257,12 +257,24 @@ enum lsa_SidType {
 	SID_NAME_COMPUTER     /* sid for a computer */
 };
 
-#define LOOKUP_NAME_ISOLATED 1	/* Look up unqualified names */
-#define LOOKUP_NAME_REMOTE   2  /* Ask others */
-#define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED|LOOKUP_NAME_REMOTE)
 
-#define LOOKUP_NAME_GROUP    4  /* (unused) This is a NASTY hack for valid users = @foo
-				 * where foo also exists in as user. */
+#define LOOKUP_NAME_NONE		0x00000000
+#define LOOKUP_NAME_ISOLATED		0x00000001  /* Look up unqualified names */
+#define LOOKUP_NAME_REMOTE		0x00000002  /* Ask others */
+#define LOOKUP_NAME_GROUP		0x00000004  /* (unused) This is a NASTY hack for
+							valid users = @foo where foo also
+							exists in as user. */
+#define LOOKUP_NAME_EXPLICIT		0x00000008  /* Only include
+							explicitly mapped names and not
+							the Unix {User,Group} domain */
+#define LOOKUP_NAME_BUILTIN		0x00000010 /* builtin names */
+#define LOOKUP_NAME_WKN			0x00000020 /* well known names */
+#define LOOKUP_NAME_DOMAIN		0x00000040 /* only lookup own domain */
+#define LOOKUP_NAME_ALL			(LOOKUP_NAME_ISOLATED\
+					|LOOKUP_NAME_REMOTE\
+					|LOOKUP_NAME_BUILTIN\
+					|LOOKUP_NAME_WKN\
+					|LOOKUP_NAME_DOMAIN)
 
 /**
  * @brief Security Identifier
diff --git a/source/passdb/lookup_sid.c b/source/passdb/lookup_sid.c
index 37285f0..d1390fd 100644
--- a/source/passdb/lookup_sid.c
+++ b/source/passdb/lookup_sid.c
@@ -60,16 +60,19 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 		name = talloc_strdup(tmp_ctx, full_name);
 	}
 
-	DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n", 
-		full_name, domain, name));
-
 	if ((domain == NULL) || (name == NULL)) {
 		DEBUG(0, ("talloc failed\n"));
 		TALLOC_FREE(tmp_ctx);
 		return False;
 	}
 
-	if (strequal(domain, get_global_sam_name())) {
+	DEBUG(10,("lookup_name: %s => %s (domain), %s (name)\n",
+		full_name, domain, name));
+	DEBUG(10, ("lookup_name: flags = 0x0%x\n", flags));
+
+	if ((flags & LOOKUP_NAME_DOMAIN) &&
+	    strequal(domain, get_global_sam_name()))
+	{
 
 		/* It's our own domain, lookup the name in passdb */
 		if (lookup_global_sam_name(name, flags, &rid, &type)) {
@@ -81,8 +84,9 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 		return False;
 	}
 
-	if (strequal(domain, builtin_domain_name())) {
-
+	if ((flags & LOOKUP_NAME_BUILTIN) &&
+	    strequal(domain, builtin_domain_name()))
+	{
 		/* Explicit request for a name in BUILTIN */
 		if (lookup_builtin_name(name, &rid)) {
 			sid_copy(&sid, &global_sid_Builtin);
@@ -98,6 +102,7 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 	 * domain yet at this point yet. This comes later. */
 
 	if ((domain[0] != '\0') &&
+	    (flags & ~(LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED)) &&
 	    (winbind_lookup_name(domain, name, &sid, &type))) {
 			goto ok;
 	}
@@ -132,14 +137,18 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 
 	/* 1. well-known names */
 
-	if (lookup_wellknown_name(tmp_ctx, name, &sid, &domain)) {
+	if ((flags & LOOKUP_NAME_WKN) &&
+	    lookup_wellknown_name(tmp_ctx, name, &sid, &domain))
+	{
 		type = SID_NAME_WKN_GRP;
 		goto ok;
 	}
 
 	/* 2. Builtin domain as such */
 
-	if (strequal(name, builtin_domain_name())) {
+	if ((flags & (LOOKUP_NAME_BUILTIN|LOOKUP_NAME_REMOTE)) &&
+	    strequal(name, builtin_domain_name()))
+	{
 		/* Swap domain and name */
 		tmp = name; name = domain; domain = tmp;
 		sid_copy(&sid, &global_sid_Builtin);
@@ -149,7 +158,9 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 
 	/* 3. Account domain */
 
-	if (strequal(name, get_global_sam_name())) {
+	if ((flags & LOOKUP_NAME_DOMAIN) &&
+	    strequal(name, get_global_sam_name()))
+	{
 		if (!secrets_fetch_domain_sid(name, &sid)) {
 			DEBUG(3, ("Could not fetch my SID\n"));
 			TALLOC_FREE(tmp_ctx);
@@ -163,7 +174,9 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 
 	/* 4. Primary domain */
 
-	if (!IS_DC && strequal(name, lp_workgroup())) {
+	if ((flags & LOOKUP_NAME_DOMAIN) && !IS_DC &&
+	    strequal(name, lp_workgroup()))
+	{
 		if (!secrets_fetch_domain_sid(name, &sid)) {
 			DEBUG(3, ("Could not fetch the domain SID\n"));
 			TALLOC_FREE(tmp_ctx);
@@ -178,8 +191,9 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 	/* 5. Trusted domains as such, to me it looks as if members don't do
               this, tested an XP workstation in a NT domain -- vl */
 
-	if (IS_DC && (secrets_fetch_trusted_domain_password(name, NULL,
-							    &sid, NULL))) {
+	if ((flags & LOOKUP_NAME_REMOTE) && IS_DC &&
+	    (secrets_fetch_trusted_domain_password(name, NULL, &sid, NULL)))
+	{
 		/* Swap domain and name */
 		tmp = name; name = domain; domain = tmp;
 		type = SID_NAME_DOMAIN;
@@ -188,7 +202,9 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 
 	/* 6. Builtin aliases */	
 
-	if (lookup_builtin_name(name, &rid)) {
+	if ((flags & LOOKUP_NAME_BUILTIN) &&
+	    lookup_builtin_name(name, &rid))
+	{
 		domain = talloc_strdup(tmp_ctx, builtin_domain_name());
 		sid_copy(&sid, &global_sid_Builtin);
 		sid_append_rid(&sid, rid);
@@ -201,7 +217,9 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
 
 	/* Both cases are done by looking at our passdb */
 
-	if (lookup_global_sam_name(name, flags, &rid, &type)) {
+	if ((flags & LOOKUP_NAME_DOMAIN) &&
+	    lookup_global_sam_name(name, flags, &rid, &type))
+	{
 		domain = talloc_strdup(tmp_ctx, get_global_sam_name());
 		sid_copy(&sid, get_global_sam_sid());
 		sid_append_rid(&sid, rid);
diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index 7a47ced..c105edf 100644
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -1032,6 +1032,31 @@ NTSTATUS _lsa_lookup_sids3(pipes_struct *p,
 	return r_u->status;
 }
 
+static int lsa_lookup_level_to_flags(uint16 level)
+{
+	int flags;
+
+	switch (level) {
+		case 1:
+			flags = LOOKUP_NAME_ALL;
+			break;
+		case 2:
+			flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_REMOTE|LOOKUP_NAME_ISOLATED;
+			break;
+		case 3:
+			flags = LOOKUP_NAME_DOMAIN|LOOKUP_NAME_ISOLATED;
+			break;
+		case 4:
+		case 5:
+		case 6:
+		default:
+			flags = LOOKUP_NAME_NONE;
+			break;
+	}
+
+	return flags;
+}
+
 /***************************************************************************
 lsa_reply_lookup_names
  ***************************************************************************/
@@ -1051,10 +1076,7 @@ NTSTATUS _lsa_lookup_names(pipes_struct *p,LSA_Q_LOOKUP_NAMES *q_u, LSA_R_LOOKUP
 		DEBUG(5,("_lsa_lookup_names: truncating name lookup list to %d\n", num_entries));
 	}
 		
-	/* Probably the lookup_level is some sort of bitmask. */
-	if (q_u->lookup_level == 1) {
-		flags = LOOKUP_NAME_ALL;
-	}
+	flags = lsa_lookup_level_to_flags(q_u->lookup_level);
 
 	ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
 	if (!ref) {
@@ -1120,11 +1142,8 @@ NTSTATUS _lsa_lookup_names2(pipes_struct *p, LSA_Q_LOOKUP_NAMES2 *q_u, LSA_R_LOO
 		num_entries = MAX_LOOKUP_SIDS;
 		DEBUG(5,("_lsa_lookup_names2: truncating name lookup list to %d\n", num_entries));
 	}
-		
-	/* Probably the lookup_level is some sort of bitmask. */
-	if (q_u->lookup_level == 1) {
-		flags = LOOKUP_NAME_ALL;
-	}
+
+	flags = lsa_lookup_level_to_flags(q_u->lookup_level);
 
 	ref = TALLOC_ZERO_P(p->mem_ctx, DOM_R_REF);
 	if (ref == NULL) {