I have found that when people start to use access control lists they tend to make too many entries in those lists. One way to keep access control lists simple and easy to support is to identify the types of access required to a given share or directory. Instead of creating a new access control list entry for each person your should create a user group for each type of access, then you can put user accounts into those groups to match their job requirements.
For example most shares will need three types of access control: read + write, read only, and no access. So create a group for read + write and another group for read only. The requirement for no access can be satisfied by the last entry in the list which is the default when no other match has been made. That last entry is Everyone:no access.
The user group for read + write access could be called something like directory_rw.
The user group for read only access could be called something like directory_ro.
Then you create your access control list. In Windows terms it would look like this.
Administrators: full control
directory_rw: read + write
Everyone: access denied
Now you put your user accounts into the proper user group.
This type of access control is easy to configure and to support. The access control list is short and easy to understand. Problems will be easy to diagnose and easy to resolve.
Avoid long and complicated access control lists.