Here are the important points you have to set in order for Windows admins to be able to administer the share:
- "General" tab
Owner and group: root & "Domain Admins".
Permissions: Owner and group must have full access (r, w, x); other should have read and list access (r, x).
The important thing here is to give the domain administrators basic write access and all others read access only.
- "Samba" tab
Enable "Samba write access" and "Users with write access may modify permissions". That way domain administrators can not only create directories but actually change the permissions.
- "Advanced settings" tab
Only change settings in the "Samba persmissions" section. Leave everything at their defaults, especially the "Samba extended persmissions".
Enable "NT ACL support", "Inherit ACLs" and both "Create files/directories with…" options.
Now you can fully manage permissions from Windows if you're a domain administrator.
As for your specific use case: next you should create one directory per user and make sure that only that user can access it. This is trivial and can be done on Linux. Just set the owner to the user you want to give permissions to (usually you name the directory after their owners in such a case, just like home directories) and assign file permissions as follows: owner = rwx, group & other = none. Example:
for name in jtkirk spock lmccoy mscott hsulu pcheckov nuhura; do
chown $name: $name
chmod 0700 $name