if an admin applies delegation on GPOs and denies access to cerain trustees, then the next samba-tool ntacl sysvolreset will discard the deny ACEs. Next time MMC opend that GPO it will complain that ther permissions don't match and suggests to fix it, which will also work (till sysvolreset strikes again). WIP merge request is linked.
*** Bug 12236 has been marked as a duplicate of this bug. ***
*** Bug 9542 has been marked as a duplicate of this bug. ***
*** Bug 10606 has been marked as a duplicate of this bug. ***
*** Bug 11309 has been marked as a duplicate of this bug. ***
*** Bug 15518 has been marked as a duplicate of this bug. ***
This bug was referenced in samba master: 3e572824dcafc6544320bb1b306063035f1ecc37 29df0b6691d67816b146549b5b18883505a55649 62c8dc9fa1f00dd178468edf23d35f6316fce800 301c36d1ad6d81e4983001c607d501bea7551014 ff0e0045ed5ec619e8ef1910c0b72eb118f59bd3 20129d16dc30a2ab9ad0ae04fec5cf007ebb035d