Since 4.2 samba can resolve BUILTIN groups via libwinbind-nss. But it still does not resolve "well known security principals" like "Authenticated Users".
On an AD DC the sysvol folder is created with read rights for "Authenticated Users" and Read/Write Rights for "Local System".
They get mapped by winbindd to local uid/gid in idmap.ldb but do not resolve to names.

Below are the default acl's after domain provision.

dc1#~getfacl /var/lib/samba/sysvol

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

dc1#~getfacl -n /var/lib/samba/sysvol

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: 0
# group: 3000000
user::rwx
user:0:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:0:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---


getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: 0
# group: 3000000
user::rwx
user:0:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:0:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---


Via idmap.ldb
3000002 maps to S-1-5-11 (Local System)
3000003 maps to S-1-5-18 (Authenticated Users)

BUILTIN\Administrators map to 3000000
BUILTIN\Server Operators map to 3000001

If I copy the sysvol folder to an second dc (dc2) with rsync

dc2#~rsync -XAavz -e ssh root@dc1:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/

The two BUILTIN groups map to the proper gid's from the local idmap.ldb but the "Local System" and "Authenticated Users" keep the gid's from the source server.

dc2#~getfacl /var/lib/samba/sysvol

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:BUILTIN\134server\040operators:rwx
user:group\040policy\040creator\040owners:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:BUILTIN\134server\040operators:rwx
group:group\040policy\040creator\040owners:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:BUILTIN\134server\040operators:rwx
default:user:group\040policy\040creator\040owners:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:BUILTIN\134server\040operators:rwx
default:group:group\040policy\040creator\040owners:r-x
default:mask::rwx
default:other::---

dc2#~getfacl -n /var/lib/samba/sysvol

# file: var/lib/samba/sysvol/
# owner: 0
# group: 3000000
user::rwx
user:0:rwx
user:3000000:rwx
user:3000002:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000002:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:0:rwx
default:user:3000000:rwx
default:user:3000002:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000002:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

In this example on dc2 "BUILTIN\Server Operators" map to 3000002 and "Group Policy Creator Owners" map to 3000003.

Via idmap.ldb on dc2
3000007 maps to S-1-5-18 (Local System)
3000009 maps to S-1-5-11 (Authenticated Users)

This results in no read access rights for "Authenticated Users" means normal users can not access the sysvol share and can not read the gpo's.
Also "BUILTIN\Server Operators" now gained write access th sysvol on dc2.

getfacl after "samba-tool ntacl sysvolreset" on dc2:

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000007:r-x
user:3000009:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000007:r-x
group:3000009:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000007:r-x
default:user:3000009:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000007:r-x
default:group:3000009:rwx
default:mask::rwx
default:other::---

Since the posix acl's are still mandatory to access the share it does not help that the extended acl's in security.NTACL are not affected by this mapping problem. 
Even with acl_xattr:ignore system acls = Yes set an domain user can not access the sysvol share on dc2 without running sysvolreset or keeping idmap.ldb in sync.

If the "well known security principals" would be resolved like the BUILTIN groups via winbindd above problems would be fixed.