if an admin applies delegation on GPOs and denies access to cerain trustees, then the next samba-tool ntacl sysvolreset will discard the deny ACEs. Next time MMC opend that GPO it will complain that ther permissions don't match and suggests to fix it, which will also work (till sysvolreset strikes again). WIP merge request is linked.
*** Bug 12236 has been marked as a duplicate of this bug. ***
*** Bug 9542 has been marked as a duplicate of this bug. ***
*** Bug 10606 has been marked as a duplicate of this bug. ***
*** Bug 11309 has been marked as a duplicate of this bug. ***
*** Bug 15518 has been marked as a duplicate of this bug. ***