Am frisch gejointen Windows 7 Client GPMC geöffent, neue leere GPO angelegt.
Dann samba/debug/level=10 gesetzt, samba neu gestartet und in der GPMC einen
Benutzer "user1" an in die Liste lesebechtigten Konten hinzugefügt.

In log.samba sieht man, dass der Client "1: SEC_DESC_DACL_AUTO_INHERIT_REQ" in
Samba/AD schreibt, was in SDDL dem DACL-Flag "AR" entspricht.

In log.smbd sieht man aber, dass der Client "0: SEC_DESC_DACL_AUTO_INHERIT_REQ"
in die NTACL schreibt.

Teile von log.samba:
==============================================================================
+[2019/06/26 18:50:01.099733, 10, pid=12533, effective(0, 0), real(0, 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
+  ldb: start ldb transaction success
+[2019/06/26 18:50:01.099939, 10, pid=12533, effective(0, 0), real(0, 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)
+  ldb: ldb_trace_request: MODIFY
+  dn: cn={ABAEADCF-E88C-4C9D-B449-B196350A4E0C},cn=policies,cn=system,DC=ar41i1,DC=qa
+  changetype: modify
+  replace: nTSecurityDescriptor
+  nTSecurityDescriptor: D:PAR(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCL
+   CLORCWOWDSDDTSW;;;EA)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;;RPWPCCDCLCLORC
+   WOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(A;CI
+   ;RPLCLORC;;;ED)(A;CI;RPLCRC;;;S-1-5-21-2660895256-1678062113-3852026326-1115)
+   (OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(OA;CI;CR;edacfd8f-ffb3-11
+   d1-b41d-00a0c968f939;;S-1-5-21-2660895256-1678062113-3852026326-1115)
+  -
+  
+  
+   control: 1.2.840.113556.1.4.801  crit:1  data:yes
+   control: 1.3.6.1.4.1.7165.4.3.17  crit:0  data:no
+  
+[2019/06/26 18:50:01.100026, 10, pid=12533, effective(0, 0), real(0, 0), class=ldb] ../../lib/ldb-samba/ldb_wrap.c:79(ldb_wrap_debug)

[...]

+[2019/06/26 18:50:01.120898, 10, pid=12533, effective(0, 0), real(0, 0)] ../../source4/dsdb/samdb/ldb_modules/descriptor.c:419(get_new_descriptor)
+  Object cn={ABAEADCF-E88C-4C9D-B449-B196350A4E0C},cn=policies,cn=system,DC=ar41i1,DC=qa created with descriptor O:DAG:DAD:PAR(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(A;CI;RPLCLORC;;;ED)(A;CI;RPLCRC;;;S-1-5-21-2660895256-1678062113-3852026326-1115)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2660895256-1678062113-3852026326-1115)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

[...]

+[2019/06/26 18:50:01.142917,  5, pid=12533, effective(0, 0), real(0, 0)] ../../lib/audit_logging/audit_logging.c:95(audit_log_human_text)
+  DSDB Change [Modify] at [Wed, 26 Jun 2019 18:50:01.142888 CEST] status [Success] remote host [ipv4:10.200.8.230:59997] SID [S-1-5-21-2660895256-1678062113-3852026326-500] DN [cn={ABAEADCF-E88C-4C9D-B449-B196350A4E0C},cn=policies,cn=system,DC=ar41i1,DC=qa] attributes [replace: nTSecurityDescriptor {AQAXmRQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAAAYCpqeITIFZNZBmeUAAgAAAQUAAAAAAAUVAAAAGAqaniEyBWTWQZnlAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQASAEKAAAAAAIkAP8ADwABBQAAAAAABRUAAAAYCpqeITIFZNZBmeUAAgAAAAIkAP8ADwABBQAAAAAABRUAAAAYCpqeITIFZNZBmeUHAgAAAAoUAP8ADwABAQAAAAAAAwAAAAAAACQA/wAPAAEFAAAAAAAFFQAAABgKmp4hMgVk1kGZ5QACAAAAAhQA/wAPAAEBAAAAAAAFEgAAAAACFACUAAIAAQEAAAAAAAULAAAAAAIUAJQAAgABAQAAAAAABQkAAAAAAiQAFAACAAEFAAAAAAAFFQAAABgKmp4hMgVk1kGZ5VsEAAAFAigAAAEAAAEAAACP/azts//REbQdAKDJaPk5AQEAAAAAAAULAAAABQI4AAABAAABAAAAj/2s7bP/0RG0HQCgyWj5OQEFAAAAAAAFFQAAABgKmp4hMgVk1kGZ5VsEAAA=}]
+  {"timestamp": "2019-06-26T18:50:01.143005+0200", "type": "dsdbChange", "dsdbChange": {"version": {"major": 1, "minor": 0}, "statusCode": 0, "status": "Success", "operation": "Modify", "remoteAddress": "ipv4:10.200.8.230:59997", "performedAsSystem": false, "userSid": "S-1-5-21-2660895256-1678062113-3852026326-500", "dn": "cn={ABAEADCF-E88C-4C9D-B449-B196350A4E0C},cn=policies,cn=system,DC=ar41i1,DC=qa", "transactionId": "edf07c2d-4807-457c-9710-7676644920be", "sessionId": "7ed143bd-5b5c-4eab-88e7-448f1f09cde6", "attributes": {"nTSecurityDescriptor": {"actions": [{"action": "replace", "values": [{"base64": true, "value": "AQAXmRQAAAAwAAAATAAAAMQAAAABBQAAAAAABRUAAAAYCpqeITIFZNZBmeUAAgAAAQUAAAAAAAUVAAAAGAqaniEyBWTWQZnlAAIAAAQAeAACAAAAB1o4ACAAAAADAAAAvjsO8/Cf0RG2AwAA+ANnwaV6lr/mDdARooUAqgAwSeIBAQAAAAAAAQAAAAAHWjgAIAAAAAMAAAC/Ow7z8J/REbYDAAD4A2fBpXqWv+YN0BGihQCqADBJ4gEBAAAAAAABAAAAAAQASAEKAAAAAAIkAP8ADwABBQAAAAAABRUAAAAYCpqeITIFZNZBmeUAAgAAAAIkAP8ADwABBQAAAAAABRUAAAAYCpqeITIFZNZBmeUHAgAAAAoUAP8ADwABAQAAAAAAAwAAAA +>
+  AAACQA/wAPAAEFAAAAAAAFFQAAABgKmp4hMgVk1kGZ5QACAAAAAhQA/wAPAAEBAAAAAAAFEgAAAAACFACUAAIAAQEAAAAAAAULAAAAAAIUAJQAAgABAQAAAAAABQkAAAAAAiQAFAACAAEFAAAAAAAFFQAAABgKmp4hMgVk1kGZ5VsEAAAFAigAAAEAAAEAAACP/azts//REbQdAKDJaPk5AQEAAAAAAAULAAAABQI4AAABAAABAAAAj/2s7bP/0RG0HQCgyWj5OQEFAAAAAAAFFQAAABgKmp4hMgVk1kGZ5VsEAAA="}]}]}}}}
==============================================================================

Teile von log.smbd:
==============================================================================
+[2019/06/26 18:50:04.558115, 10, pid=12534, effective(0, 5000), real(0, 0)] ../../source3/smbd/nttrans.c:956(set_sd)
+  set_sd for file ar41i1.qa/Policies/{ABAEADCF-E88C-4C9D-B449-B196350A4E0C}/User
--
+[2019/06/26 18:50:04.607911, 10, pid=12534, effective(0, 5000), real(0, 0)] ../../source3/smbd/nttrans.c:956(set_sd)
+  set_sd for file ar41i1.qa/Policies/{ABAEADCF-E88C-4C9D-B449-B196350A4E0C}/GPT.INI
--
+[2019/06/26 18:50:04.664002, 10, pid=12534, effective(0, 5000), real(0, 0)] ../../source3/smbd/nttrans.c:956(set_sd)
+  set_sd for file ar41i1.qa/Policies/{ABAEADCF-E88C-4C9D-B449-B196350A4E0C}/Machine
--
+[2019/06/26 18:50:04.696057, 10, pid=12534, effective(0, 5000), real(0, 0)] ../../source3/smbd/nttrans.c:956(set_sd)
+  set_sd for file ar41i1.qa/Policies/{ABAEADCF-E88C-4C9D-B449-B196350A4E0C}
+[2019/06/26 18:50:04.696078,  1, pid=12534, effective(0, 5000), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:422(ndr_print_debug)
+       psd: struct security_descriptor
+          revision                 : SECURITY_DESCRIPTOR_REVISION_1 (1)
+          type                     : 0x9c04 (39940)
+                 0: SEC_DESC_OWNER_DEFAULTED 
+                 0: SEC_DESC_GROUP_DEFAULTED 
+                 1: SEC_DESC_DACL_PRESENT    
+                 0: SEC_DESC_DACL_DEFAULTED  
+                 0: SEC_DESC_SACL_PRESENT    
+                 0: SEC_DESC_SACL_DEFAULTED  
+                 0: SEC_DESC_DACL_TRUSTED    
+                 0: SEC_DESC_SERVER_SECURITY 
+                 0: SEC_DESC_DACL_AUTO_INHERIT_REQ
+                 0: SEC_DESC_SACL_AUTO_INHERIT_REQ
+                 1: SEC_DESC_DACL_AUTO_INHERITED
+                 1: SEC_DESC_SACL_AUTO_INHERITED
+                 1: SEC_DESC_DACL_PROTECTED  
+                 0: SEC_DESC_SACL_PROTECTED  
+                 0: SEC_DESC_RM_CONTROL_VALID
+                 1: SEC_DESC_SELF_RELATIVE   
+          owner_sid                : *
+              owner_sid                : S-1-5-21-2660895256-1678062113-3852026326-512
+          group_sid                : *
+              group_sid                : S-1-5-21-2660895256-1678062113-3852026326-512
+          sacl                     : NULL
+          dacl                     : *
+              dacl: struct security_acl
[...]
==============================================================================