A sleight of hand is required.
Anyone who is not in the collective (apart from system administrators) has no(?) visibility of the work.
You most likely brushed over the point above, but it's the key to unlocking Windows ACLs. While I've suggested that personal shares should remain personal, there is one group of individuals that require complete control over all objects connected with the FreeNAS server. These are your system administrators. The frustration that you've felt is due to that lack of control. Let's look at an example.
This is a dataset created for a new user
connor. Notice the (default) Unix permissions associated with this dataset. Connor has full control over the dataset, and others have read access to the dataset. To make this dataset available to Connor in the Windows world, an SMB share is attached to this dataset. Through this mechanism, personal storage space on the server is made available to Connor. Let's now look at the permissions on the Windows share that maps to this dataset.
What you're seeing is how those Unix permissions get mapped to Windows ACLs. Two issues become blindingly apparent. The first is that
Everyone, including non-FreeNAS users, on the network has read access to Connor's personal share. Connor's personal share isn't really personal. The second is the system administrator, who created the dataset and SMB share on the FreeNAS server, is nowhere to be seen. Her powers were relinquished once she left the FreeNAS server. Her control needs to be restored if she is to effectively assist her clients.
To address these two issues, log in as
connor (who has full control over his personal share) on a Windows client and tweak the permissions to remove
Everyone and include the system administrator making sure to give them full control over the share. Note: When dealing with existing users who will already have stuff in their share, don't forget to allow the permissions to propagate down to all objects within the share.
In this example, the group
admins is given administrator rights to the share.
With the Windows ACLs tweaked, the share has become truly personal. Connor may call on the administrator from time to time to help him resolve issues within his personal share, but no one else has any visibility of the share contents.