[Samba] Dir ACL through windows and chmod

[it at mdsdnr.ru]

Samba-4.3.5, Debian

smb.conf
===
[global]
     workgroup = WG
     security = ADS
     realm = WG.LOCAL

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab
     server string = Samba 4 Client %h

     idmap config * : backend = tdb
     idmap config * : range = 2000-10000

     idmap config * : backend = rid
     idmap config * : range = 300000-400000

#    idmap config WG : backend = ad
#    idmap config WG : range = 300000-400000
#    idmap config WG : schema_mode = rfc2307

     winbind use default domain = yes
     winbind nss info = rfc2307
     winbind refresh tickets = yes

     # For ACL support on domain member
     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes

     # Share Setting Globally
     unix extensions = no
     reset on zero vc = yes
     veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
     hide unreadable = yes

     max log size = 1000
     log level = 5 vfs:1
     syslog = 5

     load printers = no
     printing = bsd
     show add printer wizard = no
     disable spoolss = yes
     printcap name = /dev/null

#======================= Share Definitions =======================

[n]
      comment = File share
      path = /mnt/n
      read only = no
     valid users = @"Domain Users" @"Domain Admins" @all
     admin users = admin @it
#    inherit acls = yes
     force create mode = 0777
     directory mask = 0770
     hide unreadable = yes

===

getfacl /mnt/n/01
===
# file: 01
# owner: admin
# group: g01
user::rwx
user:u01:rwx
group::rwx
group:admin:rwx
group:g01:rwx
mask::rwx
other::---
default:user::rwx
default:user:admin:rwx       #effective:---
default:user:u01:rwx             #effective:---
default:group::---
default:group:g01:rwx            #effective:---
default:mask::---
default:other::---
===

In need folders have to be seen (and accessed) only by appropriate 
domain groups. For example, there are domain groups g01, g02, g03, etc, 
users in these groups have to see only "their" folders: u01 - 
\\fsrv\n\01, u02 - \\fsrv\n\02, u03 - \\fsrv\n\03
This is done by "Hide unreadable = yes" in smb.conf, by granting access 
(using "Security" tab in windows' folder rights) for concrete group to 
concrete directory and then chmod'ing this folder to 0770. But, if then 
I again modify ACLs through "Security" (for example - adding another 
group access to folder) samba sets 0777 to this folder and it becomes 
"visible" to all others. And I have again set 0770 on Samba server.
This seems to work, but:
- not good to windows admins, which only has to know about "Security" 
tab in folder rights;
- mixing ACLs with unix rights makes a mess and seems not right way to 
solve task.

What is the "right way" to do such task?