With ADCU it's impossible to see the ACL (Unable to display or something similar). To reproduce with a recent S4: * start ADCU * right click properties on containter Users at the root of the domain tree(CN=Users,DC=domain,DC=tld) * go to the security tab
The problem lies in ./source4/dsdb/samdb/ldb_modules/operational.c because the removal of nTSecurityDescriptor is a bit too simplistic. This page: http://msdn.microsoft.com/en-us/library/aa366987%28VS.85%29.aspx explains that when the following control is present 1.2.840.113556.1.4.801 (LDAP_SERVER_SD_FLAGS_OID) then SD must be included.
should be fixed with commit 41e403adb0fa76c8d15d5d1ef38b195a6da2265c Please test, and let me know if there is still a problem. Thanks for the bug report! Cheers, Tridge