(#11563) Create an explicit ace if the old ace is inherited

Given a directory owned by Administrators and group None, and with DACL:

NT AUTHORITY\SYSTEM:(I)(OI)(CI)               0x1f01ff
BUILTIN\Administrators:(I)(OI)(CI)            0x1f01ff
WIN-QP47VOHA2P4\albert:(I)(OI)(CI)            0x1f01ff

where the ACE for the owner is inherited (I). If puppet changed the owner to
Users, it would copy all of the inherited ACEs as-is. But the new owner
would not have any privileges, even though the old owner did. The same is
true for group.

This commit ensures that if we see an inherited ACE for the old owner, that
we prepend a new explicit ACE, whose type (allow or deny), flags and mask
grant/deny the same access as the inherited ACE did.

Note that not all flags are valid when setting an ACE, e.g. INHERITED_ACE is
only something you can read, not set.

As a result of this change, when puppet changes the owner from Administrators
to Users the dacl will have the following ACE prepended to the list, with
the existing inherited ACEs copied as-is:

BUILTIN\Users:(OI)(CI)                        0x1f01ff

Note that the new ACE has the same mask as the old one, and has the object
and container inherit flags set.