Zebediah Figura (@zfigura) commented about dlls/ntoskrnl.exe/tests/driver.c:

• *RtlSubAuthoritySid(sidwin7, 1) = DOMAIN_ALIAS_RID_ADMINS;
• sid2 = ExAllocatePool(NonPagedPool, RtlLengthRequiredSid(1));
• RtlInitializeSid(sid2, &auth, 1);
• *RtlSubAuthoritySid(sid2, 0) = SECURITY_LOCAL_SYSTEM_RID;
• /* SECURITY_BUILTIN_DOMAIN_RID */
• status = RtlGetAce(acl, 0, (void**)&ace);
• ok(status == STATUS_SUCCESS, "got %#lx\n", status);
• ok(ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE, "got %#x\n", ace->Header.AceType);
• ok(ace->Header.AceFlags == 0, "got %#x\n", ace->Header.AceFlags);
• ok(ace->Mask == STANDARD_RIGHTS_ALL, "got %#lx\n", ace->Mask);
• ret = RtlEqualSid(sid1, (PSID)&ace->SidStart) || RtlEqualSid(sidwin7, (PSID)&ace->SidStart);
• ok(ret, "SID not equal\n");

Maybe it'd be a bit simpler to test the SID elements individually rather than constructing a SID and using RtlEqualSid()?