Steps to reproduce:

Assume the computer is named FISHIE and it's on an AD domain called

# Example 1: a local folder

1. Create a folder

2. Set security on it as follows:
   Remove all existing permissions and inheritance
   Grant full control to FISHIE\Administrators

3. Add "Domain Users" to FISHIE\Administrators

4. Log in on FISHIE as a domain user, and attempt to enter the folder.

Expected behaviour: a user in the Domain Users group should be able to access
the folder because Domain Users is in FISHIE\Administrators and the latter has
full access to the folder.

Actual behaviour: access denied.

This appears to affect shares as well, sometimes?