At the moment we handle tree deletes as if they would be normal deletes regarding the ACLs. But this is not the Windows behaviour. If you've got there the TREE_DELETE right on the base object and send then the TREE_DELETE control you are able to delete all subobjects fully independently of their security descriptors (beside other checks as system flags and similar which remain). Source: MS-ADTS 3.1.1.5.5.7
Yeah, that's true. At the time the acl module was created we did not support the delete tree operation. I'll fix it when I have the time.
I'll upload patches for 4.0
Metze says this one is fixed in 4.0.0rc6 (with the patches for bug #8621). Closing out bug report. Thanks!