the builtin domain is also stored in the group mapping tdb. "net groupmap cleanup" however deletes all mappings from SIDs that are not the own SID. The domain SID S-1-5-32 should also be excluded by the cleanup accordingly, shouldn't it? On the other hand it would be nice if the "net groupmap cleanup" command would recognice if the Unix IDs of the defined mappings fit to the configured winbind idmap ranges. For example when the builtin\users group was created on the server, "net groupmap list" lists the mapping by name not by number. Only the --verbose switch will also show the numeric posix ID. If the idmap ranges had been shifted one day, it will not be obvious that there is trouble waiting because there is an old sid<>id maping from the previous configuration for a range that belongs to another domain now actually. "net groupmap cleanup" should issue a warning in cases like that.