This is how I've always done it, not quite sure where I read this.
In order to have most of windows ACL options on your Samba shares connected to AD you need to enable both POSIX ACLs and XATTRS:
/dev/sda2 /samba ext3 user_xattr,acl 1 2
And in your smb.conf you need to enable idmapping, nt acls and attribute mapping like this:
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
idmap backend = idmap_rid:<domain_netbios_name>=16777216-33554431
nt acl support = yes
inherit acls = yes
map acl inherit = yes
map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes
inherit permissions = yes
Then all you need to do is define administrator user for the share, and with that user edit security settings from Windows.
[public]
path = /share/Public
public = yes
writable = yes
printable = no
admin users = "DOMAIN\user"
The only problems could be related to existing ACLs (you "disown" root and transfer ownership to your Windows user) and unmapped user groups.
To map groups manually you need to be doing something like this:
net groupmap delete ntgroup="Domain Admins"
net groupmap delete ntgroup="Domain Users"
net groupmap delete ntgroup="Domain Guests"
net groupmap add ntgroup="Domain Admins" rid=512 unixgroup=root
net groupmap add ntgroup="Domain Users" rid=513 unixgroup=users
net groupmap add ntgroup="Domain Guests" rid=514 unixgroup=nobody
for builtin security groups.
And then for all your groups:
groupadd mygroup
net groupmap delete ntgroup="mygroup"
net groupmap add ntgroup="DOMAIN\mygroup" rid=1000 unixgroup=mygroup type=d