With ADCU it's impossible to see the ACL (Unable to display or something similar).
To reproduce with a recent S4:
* start ADCU
* right click properties on containter Users at the root of the domain tree(CN=Users,DC=domain,DC=tld)
* go to the security tab
The problem lies in ./source4/dsdb/samdb/ldb_modules/operational.c
because the removal of nTSecurityDescriptor is a bit too simplistic.
This page: http://msdn.microsoft.com/en-us/library/aa366987%28VS.85%29.aspx explains that when the following control is present 1.2.840.1135188.8.131.521 (LDAP_SERVER_SD_FLAGS_OID) then SD must be included.
should be fixed with commit 41e403adb0fa76c8d15d5d1ef38b195a6da2265c
Please test, and let me know if there is still a problem.
Thanks for the bug report!