samba - Mar 2015 - permissions with samba-tool dsacl

!! Regards !! 

I'm working on delegating permissions on samba 4, I am currently using
version 4.2, my problem is using the samba -tool dsacl command. With this
command I can add ACEs to the security descriptor of objects. The point is , h
ow I can remove ACE security descriptor ? , how can I do to deny a permit
granted without adding an ACE. I need to do it this way because reading the
security descriptor , I can know the object permissions.
I can not use any tool Window. 

For example I grant permission to modify the members of a group to a user in
this way, this user is the admin of the group :
>> samba-tool dsacl set
--objectdn="CN=test,OU=aula1,DC=dominio,DC=pdc,DC=cu"
--sddl="(OA;;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3236796257-2606434236-1353340688-1106)"
But when I remove this permission in the same way with the same command but only
changing the ACE type:
>> samba-tool dsacl set
--objectdn="CN=test,OU=aula1,DC=dominio,DC=pdc,DC=cu"
--sddl="(OD;;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3236796257-2606434236-1353340688-1106)"
I find both ACE in the security descriptor and is a problem to find the
permissions of the object ,
How I can identify which ACE is active ? or How to remove an ACE security
descriptor ?