Microsoft will, as part of this security release, change the ACL model in Windows such that new objects must honour some kind of ACL (details to be determined).
That is, instead of as per MS-ATDS 22.214.171.124 Access Rights
The new behaviour is likely to be that the ACL will be inherited onto a new object, with any automatic attributes created, then all other changes considered as requiring WP after the fact, just as they would once the object has been created.
This will include the obvious case of the new object having an ACL in ntSecurityDescriptor in the ADD.
A top level bug 14564 / CVE-2020-25722 will be used for these related issues.
Fixing this has been deferred to master, but we may backport this if we find a condition where this, rather than a per-attribute check, is most appropriate.
Removing embargo. Patches to address this are public at https://gitlab.com/samba-team/samba/-/merge_requests/2514
This bug was referenced in samba master: