[Samba] unexpected groups 2000(BUILTIN\administrators) 2001(BUILTIN\users)?

[Jeff Sadowski]

So happy for BadLock bug it finally pushed Ubuntu to upgrade samba :-)

So many things work better

* I can now sudo without having to newgrp first
* I can now run id and get a list of all groups I am in
* I can now run getent group and get a list of the domain groups

but I now have two unexpected groups

running the following I get

id | sed 's/,/\n/g' | sort > id_without.txt
id $USER | sed 's/,/\n/g' | sort > id_with.txt
diff id_without.txt id_with.txt
12a13,14
> 2000(BUILTIN\administrators)
> 2001(BUILTIN\users)

2000 and 2001?
where did these come from?
my domain groups start at 8000
I have powerbroker which I use on this domain and I can easily check which
groups have ids and 8000 is as low as they go when I sort them.
My domain admin does not have a gid
my domain users does and I see it in both listings

Here is my smb.conf

[global]
   security = ads
   realm = SUBDOMAIN.DOMAIN.TLD
   workgroup = SUBDOMAIN
   idmap config * : backend = tdb
   idmap config * : range = 2000-7999
   idmap config SUBDOMAIN:backend = ad
   idmap config SUBDOMAIN:schema_mode = rfc2307
   idmap config SUBDOMAIN:range = 8000-9999999
   winbind nss info = rfc2307
   winbind use default domain = yes
   # so that the users show up in getent
   winbind enum users = yes
   # so that the groups show up in getent
   winbind enum groups = yes
   restrict anonymous = 2
   #added the following 2 for the Badlock updates that change the defaults
   #to no longer work with my domain controllers
   ldap server require strong auth = no
   client ldap sasl wrapping = plain