Is there a standard way to set generic permissions so that there is enough access for the domain administrator to connect to via compmgmt.msc and fine tune permissions or totally replace them? Like just enough permissions that I can customize the way I want it? Do the UNIX / Samba4 service permissions ever stomp the permissions I set via compmgmt.msc?
To clarify: windows servers have a few different permissions you can set on file shares.
First there are the 'share permissions' that you typically can manipulate through compmgmt.msc. these have been around for ages. (I think introduced in windows NT).
Next there are NTFS permissions that contain your standard 13 atomic priveleges and corresponding molecular priveleges, which you typically manipulate through Explorer.
In FreeNAS, the former are mapped to a tdb (database) file, the latter are mapped to ZFS access control entries (which are largely similar to NTFS ACEs). Because of the different way they are stored, it is impossible for them to clobber each other.
All that being said, I think you are best off leaving the share permissions open and using Explorer to set the NTFS permissions on the share. Less complex and less chance to accidentally screw something up. To ensure 'domain admins' have 'full control', make sure you configure dataset permissions so that they own the dataset being shared.
As far as share permissions go, on my AD member server, domain admins were automatically granted the requisite rights. If this is not the case, then you need to grant sediskoperatorprivelege rights to the group. I think the syntax is "net RPC rights grant '\DOMAIN\domain admins' SeDiskOperatorPrivelege -Uadministrator" but you will need to google and verify.
