on DS acl

[Matthieu Patou]

Hello Nadya,

I was looking a bit more carefully at the ACL due to differences in 
upgrade provision and I found this:

After recalculation
O:DAG:DU
D:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;ID;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIOID;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIID;RPLCLORC;;;AU)(OA;CIID;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CIID;RPLCLORC;;;ED)
S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

 From provision
O:DAG:DU
D:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;ID;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIOID;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;CIID;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIID;RPLCLORC;;;AU)(OA;CIID;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CIID;RPLCLORC;;;ED)(A;ID;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CIIOID;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

There is a couple of subtle difference on the DACL (SACL is ok) this two 
entries are duplicated:

* (A;ID;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)
* (A;CIIOID;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)

Are in the reference provision but not from the in the upgraded 
provision, this small difference has a simple explanation: for the core 
GPO we set manually the ACL in the ldif.

My question: is it normal that when specifying 1 ACE with CO I finally 
get a second one (I suppose that there is some magic implying the 
default ACL for this object class also).

Matthieu.