1) Directories in the root of the share.
2) Each directory should be owned by one user of the domain.
3) Permissions set accordingly - full access for user and domain admin, nothing for everyone for directory and all children.
4) I can still access any file in the directories with a any user account, while the effective permissions show that no one else should have access.