We found this issue in both 3.5.16 and 3.6.8 testing. Test steps: 1. create a directory with a domain user 2. set the ACL like this: owner has read-only access, and full control for owner's group 3. create a file inside this directory, this file will inherit the directory permission, which is correct 4. try to write to the file, we found write IO failures. We expect that the owner being a member of the group, it will have the union of the ACL right, both as owner (read only, and as a group full control). Same test on Windows Server 2003 / 2008 will let the write IO succeed.