GPO: Group policy access evaluation not in line with [MS-ADTS]
    
    The implemented security ACE evaluation algorithm is too strict and does not
    meet Microsoft technical specifications:
    Security access rights for a group policy object may be split into several
    access control entries (ACE). The implemented algorithm does not consider
    this and denies access to GPOs, where the "ApplyGroupPolicy" (AGP) ACE is
    preceded by a standard access rights ACE. The algorithm also denies
    access, if the AGP ACE is preceded by other extended object ACEs.
    
    Update security access right evaluation algorithms to be in line with the
    applicable Microsoft technical specifications:
    - Add a simple evaluation algorithm to check standard access rights for the
      complete GPO ([MS-ADTS] 5.1.3.3.2 and [MS-GOPD] 2.4):
      The requester must have been granted read access (RIGHT_DS_READ_PROPERTY)
      to the properties of the GPO
    - Fix the "ApplyGroupPolicy" evaluation algorithm to be in line with
      [MS-ADTS] 5.1.3.3.4
    
    Further improve debug messages during security filtering for administrators
    to figure out why access to a GPO was denied:
    - Inform administrators when a GPO with applicable AGP access right has not
      been evaluated due to missing or denied read access.
    - Show the trustee's SID that specifies the particular user or group for
      which GPO access has been denied
    - Align message content to Microsoft tool like Gpresult
    
    Resolves:
    https://pagure.io/SSSD/sssd/issue/3324
    
    Signed-off-by: REIM THOMAS <reimth@gmail.com>
    Signed-off-by: Thomas Reim <reimth@gmail.com>
    
    Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
    Reviewed-by: Sumit Bose <sbose@redhat.com>