$%#@&^% I forgot to delete the profile. It works. Now I should be able
to make a new "Domain Power Users" group with "net groupmap add". How
does one find a new sid or can I just increment the last number used
like so:

[***@owl profiles]# net groupmap list
System Operators (S-1-5-32-549) -> -1
Domain Guests (S-1-5-21-1135672234-1853056381-2991119365-514) -> -1
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Domain Users (S-1-5-21-1135672234-1853056381-2991119365-513) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> users
Domain Admins (S-1-5-21-1135672234-1853056381-2991119365-512) -> dadmin

Since S-1-5-21-1135672234-1853056381-2991119365-514 is the last number
displayed I could use:
S-1-5-21-1135672234-1853056381-2991119365-515

Also how does one remove a mapping from a local unixgroup? It seems
once mapped, I can only ever assign it to a new group or delete the
ntgroup and start again.

I can't follow you. Let's go part by part:

1. The concept of primary group is similar to Unix. There is nothing
particular with a primary group, except that it's mandatory. A user
*must* belong to at least one group. And, a user can belong to more than
one group. Thus, I don't understand you when you say "dadmin is not it's
primary group."

2. "Domain Users" is a global group belonging to a particular domain and
thus, any computer belonging to that domain, can reference it. There can
only exist one instance of the "Domain Administrators" global group for
every domain. Normally, you add all users from that domain to this
group, so you can reference all of them at once, for example, to allow
or deny access to a particular resource, machine, program, etc.

3. "Power Users" is a local group, not a global one. That is, it does
not belong to any domain, but belongs to a machine. It's said that the
"Power Users" group is not stored in a domain controller, but on the SAM
of a Windows machine (for example, a Windows XP computer). By saying
that it's a local group, I mean there exists one instance of this group
on every Windows computer, but no instances of it on any domain
controller. So, you should never ever create "Power Users" as a global
group on your Windows/Samba domain controller.

EXAMPLE:

Let's say you have 3 user accounts on the domain "DOM":

"DOM\A", "DOM\B" and "DOM\C".

If we want to make those users members of the "Power Users" group on the
Windows machine called MACHINE1, we usually do the following:

1. Add "DOM\A", "DOM\B" and "DOM\C" to the "Domain Users" global group
of the "DOM" domain (that is, we add them to "DOM\Domain Users").
2. Next, we log on to the MACHINE1 as an Administrator and then we add
the global group "DOM\Domain Users" to the local "Power Users" group.
3. The net effect is that since "DOM\A" is member of "DOM\Domain Users",
and "DOM\Domain Users" is also a member of the group "Power Users",
transitively, "DOM\A" becomes a member of the MACHINE1's "Power Users"
local group. Since by default on any Windows machine, every member of
the "Power Users" group has additional privileges over standard users
(like changing the system clock and shutting down the computer), the
user "DOM\A" will have those additional privileges.

We could have added "DOM\A", "DOM\B" and "DOM\C" directly to MACHINE1's
"Power Users", but what would happen if sometime in the future, a fourth
user "DOM\D" needs those elevated privileges. It's simpler to add
"DOM\D" to the "DOM\Domain Users" and then, by the transitive effect
described above, "DOM\D" will automatically be considered a member of
the local "Power Users" group for MACHINE1.

Since "Power Users" is local to all machines, you'll have to repeat this
operation on every Windows machine in which you want this mapping.

I hope this is clearer now.