Trying to understand how DACL breaks down on an OU for example:
Access_Allowed_ACE = gives permissions on an object
Access_Allowed_object_ACE = gives permissions on an object, property set or property
so if you look in LDP:
Access_Allowed_ACE will only have a Object Ace Sid refering to the group that has the permission
Object Ace Sid: DOMAINA\Domain Admins S-1-5-21-xxxx
Access_Allowed_object_ACE will have an Object Ace Sid refering to the group that has the permission and a Object Ace Type which will show that the permission is on.
Object Ace Type: computer – bf967a86-0de6-11d0-a285-00aa003049e2
Object Ace Sid: S-1-5-32-548