Im at a bit of a loss here, we have a new filer and are in the process of migrating all our existing windows shares into cifs shares, we have been using robo copy to do this for us to ensure all the existing NTFS permissions are carried across.
The setup is quite simple ... two root shares - GroupDrives / UserDrives both set for everyone to access, so that the single point of control is NTFS / ABE

UserGroupDirs /vol/UserGroupDirs User Groups Share
... access based enum supported
everyone / Full Control
UserHomeDirs /vol/UserHomeDirs User Home Drives Share
... access based enum supported
everyone / Full Control
NTFS security on both shares is the same
- Domain Admins - Full - This folder, subfolders and files
- Domain Users - Read - This folder only
- File Share Admins - Modify - This folder, subfolders and files
- Helpdesk Admins - Modify - This folder, subfolders and files

Security was added to the shares through computer management before the migration began, and we have had no major issues until now.
Here is where the issues start:
- The checkbox for 'Allow inheritable permissions ...' is unticked and if checked and applied, the settings do not stick.
- Under the UserHomeDirs share i have another folder shared for terminal services profiles, existing user content is present, but windows will no longer auto create profiles in it as it gives a permission denied error 'does not have access to the resource' during logon for new users. The user account does have access and can create folders manually.
- We have an AS/400 using a QNTC service account in our AD to access our windows shares, it is a member of domain admins, so should have complete access to the filer (domain admins are also a member of the admins group on the filer) Yet when browsing it can only see the UserHomeDirs share, it cannot see the UserGroupDirs share at all and we have a number of scheduled jobs that drop content in folders under the root share which do not work.
In my haste i have made the error of adding the QNTC account to the NTFS permissions on the root of the UserGroupDirs, simply to give it read only access to the top level share (although it is a member of domain admins and domain admins already has full access) and that has been applying for the last 45 minutes, and for some other reason now the read only box is checked and greyed out, but i can uncheck it (is this because the other security settings are still being applied?)

Any thoughts would be greatly appreciated
Cheers - Ben