diff --git a/auth/common_auth.h b/auth/common_auth.h
index 58fb2cd0b3d..806f4330cca 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -41,6 +41,7 @@ enum auth_password_state {
 #define AUTH_SESSION_INFO_UNIX_TOKEN         0x08 /* The returned token must have the unix_token and unix_info elements provided */
 #define AUTH_SESSION_INFO_NTLM               0x10 /* The returned token must have authenticated-with-NTLM flag set */
 #define AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION  0x20 /* The user authenticated with a device. */
+#define AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS     0x40 /* Add the device to the default world and network groups */
 
 struct auth_usersupplied_info
 {
diff --git a/source4/auth/session.c b/source4/auth/session.c
index ad094d207c0..3d0f2b588d3 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -190,10 +190,29 @@ _PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx,
 			return NT_STATUS_NO_MEMORY;
 		}
 
-		/*
-		 * TODO: if we find out that we need to add default SIDs to the device
-		 * SIDs, as well as to the client SIDs, we’ll do that here.
-		 */
+		for (i = 0; i < num_device_sids; i++) {
+			device_sids[i] = device_info_dc->sids[i];
+		}
+
+		if (session_info_flags & AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS) {
+			device_sids = talloc_realloc(tmp_ctx,
+						     device_sids,
+						     struct auth_SidAttr,
+						     num_device_sids + 2);
+			if (device_sids == NULL) {
+				TALLOC_FREE(tmp_ctx);
+				return NT_STATUS_NO_MEMORY;
+			}
+
+			device_sids[num_device_sids++] = (struct auth_SidAttr) {
+				.sid = global_sid_World,
+				.attrs = SE_GROUP_DEFAULT_FLAGS,
+			};
+			device_sids[num_device_sids++] = (struct auth_SidAttr) {
+				.sid = global_sid_Network,
+				.attrs = SE_GROUP_DEFAULT_FLAGS,
+			};
+		}
 	}
 
 	nt_status = security_token_create(mem_ctx,