diff --git a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
index 19b81b3e0ae..57077b3cea8 100644
--- a/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
+++ b/docs-xml/smbdotconf/winbind/winbindexpandgroups.xml
@@ -17,8 +17,13 @@
result in system slowdown as the main parent winbindd daemon
must perform the group unrolling and will be unable to answer
incoming NSS or authentication requests during this time.
-
+
+ The default value was changed from 1 to 0 with Samba 4.2.
+ Some broken applications calculate the group memberships of
+ users by traversing groups, such applications will require
+ "winbind expand groups = 1". But the new default makes winbindd more reliable
+ as it doesn't require SAMR access to domain controllers of trusted domains.
-1
+0
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 480f970b02e..21798d90d3e 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2672,7 +2672,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ldap connection timeout", "2");
- lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "1");
+ lpcfg_do_global_parameter(lp_ctx, "winbind expand groups", "0");
lpcfg_do_global_parameter(lp_ctx, "stat cache", "yes");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index dee62246551..f3356bf86e6 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -802,7 +802,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.winbind_use_default_domain = false;
Globals.winbind_trusted_domains_only = false;
Globals.winbind_nested_groups = true;
- Globals.winbind_expand_groups = 1;
+ Globals.winbind_expand_groups = 0;
Globals.winbind_nss_info = (const char **)str_list_make_v3(NULL, "template", NULL);
Globals.winbind_refresh_tickets = false;
Globals.winbind_offline_logon = false;