Not sure I can offer you a full solution.
You can link AD groups to the filer for administration once it is joined to the domain, however for these users to be able to authenticate, they need to exist on the filers local user database (although all authentication is done against AD). I believe you can assign additional user groups that can administer the filer when you run a CIFS setup, but I've never actually had to do this myself as domain admins have always been enough. You may be able to give additional groups admin rights so that they can use Computer Manager to manage the filer, but not logon to it.
As for allowing certain users access to close open files, I'm not sure you can be that granular. You can certainly limit users to specific commands (role based access control), and you can have admin users that don't have command line access to the system at all. But if they administer the filer through Computer Manager, I'm not sure you can restrict them enough. They may still have access to create / delete CIFS shares and change permissions, which you probably wouldn't want.
I think you could achieve fairly close to what you want, but I don't think it would be a fully granular solution. You'd need to put it through some tests and trials.
Sorry, not a perfect answer for you, but hopefully puts you on the right direction.