--- ./rpc_server/srv_samr_nt.c	Sun Jul 21 11:02:58 2002
+++ ./rpc_server/srv_samr_nt.c	Sun Aug  4 16:12:09 2002
@@ -3029,6 +3029,10 @@
 	uint32 *rids=NULL, *new_rids=NULL, *tmp_rids=NULL;
 	struct samr_info *info = NULL;
 	int i,j;
+		
+	NTSTATUS ntstatus1;
+	NTSTATUS ntstatus2;
+
 	/* until i see a real useraliases query, we fack one up */
 
 	/* I have seen one, JFM 2/12/2001 */
@@ -3054,9 +3058,15 @@
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 		
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(info->acc_granted, USER_ACCESS_GET_GROUPS, "_samr_query_useraliases"))) {
-		return r_u->status;
-	}
+	ntstatus1 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM, "_samr_query_useraliases");
+	ntstatus2 = access_check_samr_function(info->acc_granted, DOMAIN_ACCESS_OPEN_ACCOUNT, "_samr_query_useraliases");
+	
+	if (!NT_STATUS_IS_OK(ntstatus1) || !NT_STATUS_IS_OK(ntstatus2)) {
+		if (!(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus2)) &&
+		    !(NT_STATUS_EQUAL(ntstatus1,NT_STATUS_ACCESS_DENIED) && NT_STATUS_IS_OK(ntstatus1))) {
+			return (NT_STATUS_IS_OK(ntstatus1)) ? ntstatus2 : ntstatus1;
+		}
+	}		
 
 	if (!sid_check_is_domain(&info->sid) &&
 	    !sid_check_is_builtin(&info->sid))
@@ -3127,7 +3137,8 @@
 	if (!get_lsa_policy_samr_sid(p, &q_u->alias_pol, &alias_sid, &acc_granted)) 
 		return NT_STATUS_INVALID_HANDLE;
 	
-	if (!NT_STATUS_IS_OK(r_u->status = access_check_samr_function(acc_granted, ALIAS_ACCESS_GET_MEMBERS, "_samr_query_aliasmem"))) {
+	if (!NT_STATUS_IS_OK(r_u->status = 
+		access_check_samr_function(acc_granted, ALIAS_ACCESS_GET_MEMBERS, "_samr_query_aliasmem"))) {
 		return r_u->status;
 	}
 		
--- ./include/rpc_samr.h	Fri Jul  5 06:08:32 2002
+++ ./include/rpc_samr.h	Sun Aug  4 15:49:44 2002
@@ -176,46 +176,46 @@
 
 /* Access bits to Domain-objects */
 
-#define DOMAIN_ACCESS_LOOKUP_INFO_1  0x000000001
-#define DOMAIN_ACCESS_SET_INFO_1     0x000000002
-#define DOMAIN_ACCESS_LOOKUP_INFO_2  0x000000004
-#define DOMAIN_ACCESS_SET_INFO_2     0x000000008
-#define DOMAIN_ACCESS_CREATE_USER    0x000000010
-#define DOMAIN_ACCESS_CREATE_GROUP   0x000000020
-#define DOMAIN_ACCESS_CREATE_ALIAS   0x000000040
-#define DOMAIN_ACCESS_UNKNOWN_80     0x000000080
-#define DOMAIN_ACCESS_ENUM_ACCOUNTS  0x000000100
-#define DOMAIN_ACCESS_OPEN_ACCOUNT   0x000000200
-#define DOMAIN_ACCESS_SET_INFO_3     0x000000400
-
-#define DOMAIN_ALL_ACCESS  ( STANDARD_RIGHTS_REQUIRED_ACCESS | \
-                             DOMAIN_ACCESS_SET_INFO_3        | \
-			     DOMAIN_ACCESS_OPEN_ACCOUNT      | \
-			     DOMAIN_ACCESS_ENUM_ACCOUNTS     | \
-			     DOMAIN_ACCESS_UNKNOWN_80        | \
-			     DOMAIN_ACCESS_CREATE_ALIAS      | \
-			     DOMAIN_ACCESS_CREATE_GROUP      | \
-			     DOMAIN_ACCESS_CREATE_USER       | \
-			     DOMAIN_ACCESS_SET_INFO_2        | \
-			     DOMAIN_ACCESS_LOOKUP_INFO_2     | \
-			     DOMAIN_ACCESS_SET_INFO_1        | \
+#define DOMAIN_ACCESS_LOOKUP_INFO_1        0x000000001
+#define DOMAIN_ACCESS_SET_INFO_1           0x000000002
+#define DOMAIN_ACCESS_LOOKUP_INFO_2        0x000000004
+#define DOMAIN_ACCESS_SET_INFO_2           0x000000008
+#define DOMAIN_ACCESS_CREATE_USER          0x000000010
+#define DOMAIN_ACCESS_CREATE_GROUP         0x000000020
+#define DOMAIN_ACCESS_CREATE_ALIAS         0x000000040
+#define DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM  0x000000080
+#define DOMAIN_ACCESS_ENUM_ACCOUNTS        0x000000100
+#define DOMAIN_ACCESS_OPEN_ACCOUNT         0x000000200
+#define DOMAIN_ACCESS_SET_INFO_3           0x000000400
+
+#define DOMAIN_ALL_ACCESS  ( STANDARD_RIGHTS_REQUIRED_ACCESS   | \
+                             DOMAIN_ACCESS_SET_INFO_3          | \
+			     DOMAIN_ACCESS_OPEN_ACCOUNT        | \
+			     DOMAIN_ACCESS_ENUM_ACCOUNTS       | \
+			     DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM | \
+			     DOMAIN_ACCESS_CREATE_ALIAS        | \
+			     DOMAIN_ACCESS_CREATE_GROUP        | \
+			     DOMAIN_ACCESS_CREATE_USER         | \
+			     DOMAIN_ACCESS_SET_INFO_2          | \
+			     DOMAIN_ACCESS_LOOKUP_INFO_2       | \
+			     DOMAIN_ACCESS_SET_INFO_1          | \
 			     DOMAIN_ACCESS_LOOKUP_INFO_1 )
 			   
-#define DOMAIN_READ        ( STANDARD_RIGHTS_READ_ACCESS     | \
-                             DOMAIN_ACCESS_UNKNOWN_80        | \
+#define DOMAIN_READ        ( STANDARD_RIGHTS_READ_ACCESS       | \
+                             DOMAIN_ACCESS_LOOKUP_ALIAS_BY_MEM | \
 			     DOMAIN_ACCESS_LOOKUP_INFO_2 )
 
-#define DOMAIN_WRITE       ( STANDARD_RIGHTS_WRITE_ACCESS    | \
-                             DOMAIN_ACCESS_SET_INFO_3        | \
-			     DOMAIN_ACCESS_CREATE_ALIAS      | \
-			     DOMAIN_ACCESS_CREATE_GROUP      | \
-			     DOMAIN_ACCESS_CREATE_USER       | \
-			     DOMAIN_ACCESS_SET_INFO_2        | \
+#define DOMAIN_WRITE       ( STANDARD_RIGHTS_WRITE_ACCESS      | \
+                             DOMAIN_ACCESS_SET_INFO_3          | \
+			     DOMAIN_ACCESS_CREATE_ALIAS        | \
+			     DOMAIN_ACCESS_CREATE_GROUP        | \
+			     DOMAIN_ACCESS_CREATE_USER         | \
+			     DOMAIN_ACCESS_SET_INFO_2          | \
 			     DOMAIN_ACCESS_SET_INFO_1 )
 
-#define DOMAIN_EXECUTE     ( STANDARD_RIGHTS_EXECUTE_ACCESS  | \
-                             DOMAIN_ACCESS_OPEN_ACCOUNT      | \
-			     DOMAIN_ACCESS_ENUM_ACCOUNTS     | \
+#define DOMAIN_EXECUTE     ( STANDARD_RIGHTS_EXECUTE_ACCESS    | \
+                             DOMAIN_ACCESS_OPEN_ACCOUNT        | \
+			     DOMAIN_ACCESS_ENUM_ACCOUNTS       | \
 			     DOMAIN_ACCESS_LOOKUP_INFO_1 )            
 
 /* Access bits to User-objects */