I've just setup samba4 as an Active Directory domain controller. (samba v4.3.0, installed on ubuntu x64)

It's used in a small accounting office. The office has a number of file shares. I've given the "Domain Users" access to these shares. The users can all read and write files to the shares.

But when creating files, their ACL is a bit restrictive:

So group users have read / execute permissions to the newly created files. But I'd like the Domain Users group to have Full Control to these files.

Can someone explain how I can ensure that newly files are given full access control to the Domain Users group?

Also, is there a way to recursively set this on all files/folders in a directory?

If it helps, shares are exported from smb.conf like so:

[data]
    path = /var/shares/data
    read only = no
    write ok = yes