I could be wrong and I haven't done this very often, but I think all you need to do is to use the "CREATOR OWNER" principal and don't assign "change permissions" rights. I know this is supported by NetApp's CIFS implementation. You should test this to make sure it's doing what you want.
Message was edited by: Richard Harwood
Don't confuse principal and principle!