Comment 1 for bug 1988850

Ok, I correct myself - it's not good to change the order in nsswitch.conf!

After preferring winbind first, local users in local group 1000 are resolved as "BUILTIN\administrators" in AD and local users in local group 1001 are in the domain group "BUILTIN\users", which is not wanted and could be a security problem.
Not changing the order resolves users, who are in the domain group 1001 ("BUILTIN\users") to a local group 1001, which is not wanted too!

So I think we have a security problem here as long as I'm not doing something wrong with the config.

My solution now is to change the id for local users and groups to a higher one, that is not used in AD and to change permissions accordingly.