A customer (via their customer liaison) started by asking why they were seeing an unexpected access control entry in the security descriptor of an object.
The ACEs on the parent grant access to Administrators, CREATOR OWNER, SYSTEM, and Users, but the ACEs on the child object (which should simply have been inherited from the parent) include ...