Using the Windows 7 explorer the following NTACL was set on a folder in a 
share served by Samba4 RC2

root@master:~# samba-tool ntacl get --as-sddl  /myshare/folder1
O:S-1-5-21-2159416005-224523052-165761012-1549G:DUD:
(A;OICI;0x001f01ff;;;S-1-5-21-2159416005-224523052-165761012-1549)
(A;OICI;0x001200a9;;;DU)(A;OICI;       0x001200a9;;;WD)(A;;0x001200a9;;;DU)
(A;;0x001f01ff;;;S-1-5-21-2159416005-224523052-165761012-1549)
(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;0x001200a9;;;CG)

Trying to set this SDDL results in the following error:

root@master:~# samba-tool ntacl set 
'O:S-1-5-21-2159416005-224523052-165761012-1549G:DUD:AI(D;OICI;RPCRDCLC;;;DU)
(A;ID;0x001f01ff;;;S-1-5-21-2159416005-224523052-165761012-1549)
(A;OICIIOID;0x001f01ff;;;CO)(A;ID;0x001200a9;;;DU)(A;OICIIOID;0x001200a9;;;CG)
(A;OICIID;0x001200a9;;;WD)' /myshare/folder2
add_current_ace_to_acl: malformed ACL in file ACL ! Deny entry after Allow 
entry. Failing to set on file /myshare/folder2.