@@ -, +, @@ 
---
 __init__.py | 119 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 112 insertions(+), 7 deletions(-)
--- a/__init__.py	
+++ a/__init__.py	
@@ -1691,11 +1691,79 @@ def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
     ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
     if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
         fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
+
+    LA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR))
+    DA = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
+    CO = security.dom_sid(security.SID_CREATOR_OWNER)
+
+    PAI_filter = False
+    PAI = (security.SEC_DESC_DACL_AUTO_INHERITED | security.SEC_DESC_DACL_PROTECTED)
+
+    if fsacl.type & PAI == PAI:
+        PAI_filter = True
+
+        sd = security.descriptor.from_sddl(acl, domainsid)
+        sd.type |= security.SEC_DESC_DACL_AUTO_INHERITED
+        acl = sd.as_sddl(domainsid) 
+
+        sd3 = security.descriptor()
+        sd3.owner_sid = sd.owner_sid
+        sd3.group_sid = sd.group_sid
+        sd3.type = sd.type
+        sd3.type &= ~ security.SEC_DESC_DACL_PROTECTED
+        sd3.revision = sd.revision
+
+        sd2 = security.descriptor()
+        sd2.owner_sid = sd.owner_sid
+        sd2.group_sid = sd.group_sid
+        sd2.type = sd.type
+        sd2.type &= ~ security.SEC_DESC_DACL_PROTECTED
+        sd2.revision = sd.revision
+        skip_other_da_aces = False
+        for i in range(0, len(sd.dacl.aces)):
+            if skip_other_da_aces and sd.dacl.aces[i].trustee in (DA, LA):
+                continue
+            if sd.dacl.aces[i].trustee == DA:
+                skip_other_da_aces = True
+            if str(sd.dacl.aces[i].trustee) == security.SID_CREATOR_OWNER:
+                continue
+            #sd.dacl.aces[i].flags &= ~ security.SEC_ACE_FLAG_INHERITED_ACE
+            sd3.dacl_add(sd.dacl.aces[i])
+            sd.dacl.aces[i].flags |= security.SEC_ACE_FLAG_INHERITED_ACE
+            sd.dacl.aces[i].flags &= ~ (security.SEC_ACE_FLAG_OBJECT_INHERIT | security.SEC_ACE_FLAG_CONTAINER_INHERIT)
+            sd2.dacl_add(sd.dacl.aces[i])
+        acl2 = sd2.as_sddl(domainsid) 
+        acl3 = sd3.as_sddl(domainsid) 
+        #print "ACL1: %s" % acl
+        #print "ACL2: %s" % acl2
+        #print "ACL3: %s" % acl3
+    else:
+        sd = security.descriptor.from_sddl(acl, domainsid)
+
+        sd3 = security.descriptor()
+        sd3.owner_sid = sd.owner_sid
+        sd3.group_sid = sd.group_sid
+        sd3.type = sd.type
+        sd3.revision = sd.revision
+
+        skip_other_da_aces = False
+        for i in range(0, len(sd.dacl.aces)):
+            if skip_other_da_aces and sd.dacl.aces[i].trustee in (DA, LA):
+                continue
+            if sd.dacl.aces[i].trustee == DA:
+                skip_other_da_aces = True
+            if str(sd.dacl.aces[i].trustee) == security.SID_CREATOR_OWNER:
+                continue
+            sd3.dacl_add(sd.dacl.aces[i])
+        acl3 = sd3.as_sddl(domainsid) 
+        acl2 = acl3
+        #print "ACL1: %s" % acl
+        #print "ACL3: %s" % acl3
     fsacl_sddl_mapped = fsacl.as_sddl(domainsid) 
 
 
     if fsacl_sddl_mapped != acl:
-        raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl_mapped, acl))
+        raise ProvisioningError('%s NTACL of GPO directory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), path, fsacl_sddl_mapped, acl))
 
     for root, dirs, files in os.walk(path, topdown=False):
         for name in files:
@@ -1708,10 +1776,28 @@ def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
             ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
             if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
                 fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
-            fsacl_sddl_mapped = fsacl.as_sddl(domainsid) 
 
-            if fsacl_sddl_mapped != acl:
-                raise ProvisioningError('%s NTACL of GPO file %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl))
+            fsacl2 = security.descriptor()
+            fsacl2.owner_sid = fsacl.owner_sid
+            fsacl2.group_sid = fsacl.group_sid
+            fsacl2.type = fsacl.type
+            fsacl2.revision = fsacl.revision
+            skip_other_da_aces = False
+            for i in range(0, len(fsacl.dacl.aces)):
+                if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA):
+                    continue
+                if fsacl.dacl.aces[i].trustee == DA:
+                    skip_other_da_aces = True
+                fsacl2.dacl_add(fsacl.dacl.aces[i])
+            try:
+                fsacl2.dacl_del(CO)
+            except:
+                pass
+
+            fsacl_sddl_mapped = fsacl2.as_sddl(domainsid) 
+
+            if fsacl_sddl_mapped != acl2:
+                raise ProvisioningError('%s NTACL of GPO file %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl2))
 
         for name in dirs:
             fsacl = getntacl(lp, os.path.join(root, name),
@@ -1723,10 +1809,29 @@ def check_dir_acl(path, acl, lp, domainsid, direct_db_access):
             ## If LA in filesystem then treat it as DA for comparison (reversing what samba.ntacls.setntacl did)
             if fsacl.owner_sid == security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINISTRATOR)):
                 fsacl.owner_sid = security.dom_sid("%s-%d" % (domainsid, security.DOMAIN_RID_ADMINS))
-            fsacl_sddl_mapped = fsacl.as_sddl(domainsid) 
 
-            if fsacl_sddl_mapped != acl:
-                raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl))
+            fsacl2 = security.descriptor()
+            fsacl2.owner_sid = fsacl.owner_sid
+            fsacl2.group_sid = fsacl.group_sid
+            fsacl2.type = fsacl.type
+            fsacl2.revision = fsacl.revision
+            skip_other_da_aces = False
+            for i in range(0, len(fsacl.dacl.aces)):
+                if skip_other_da_aces and fsacl.dacl.aces[i].trustee in (DA, LA):
+                    continue
+                fsacl.dacl.aces[i].flags &= ~ security.SEC_ACE_FLAG_INHERITED_ACE
+                if fsacl.dacl.aces[i].trustee == DA:
+                    skip_other_da_aces = True
+                fsacl2.dacl_add(fsacl.dacl.aces[i])
+            try:
+                fsacl2.dacl_del(CO)
+            except:
+                pass
+
+            fsacl_sddl_mapped = fsacl2.as_sddl(domainsid) 
+
+            if fsacl_sddl_mapped != acl3:
+                raise ProvisioningError('%s XNTACL of GPO directory %s does not match value expected from GPO object\nFSACL: %s\nDSACL: %s' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl3))
 
 def check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
         direct_db_access):
--