I have a Samba shared network drive. It's smb.conf attributes are:
This important bit here is that the user.group is forced to (obfuscated) user.group. The Windows clients access this mapped drive as that user and group.

All that works fine in that all Windows users can read/update any files and folders on this share.

However, I now want some of the directories to have unchangeable names since certain paths get stored in the database. For example I need:
to never allow users to change its name. Other solutions, such as changing the owner to root.root won't work because the entire volume is shared as owner user.group.

Can this be done?

The ONLY way I know to get that behavior is to allow only READ ONLY access on those files and folders, and in some cases even THAT does not suffice.

At a previous work location I advised to allow access using SAMBA only to a select group, and make the rest operate clients over network using only the application protocol or SFTP protocol. Where they did not take my advice remediation for accidental file or folder moves was routine.

(( I am not always right, but when I am I remember FOREVER! ;-) ))

In short: No.

As noted by wpeckham, accidental file or folder moves are a 'feature' of Windows/SMB file shares. You can't disable drag & drop in Windows, so any Windows user who has permissions to write to that share can cause havoc. If you do a search, you will find many, many forum posts by exasperated admins about this very big problem.

What I've done at the office on the client machines is something like this: https://www.top-password.com/blog/di...in-windows-10/ It doesn't disable drag and drop, just decreases its sensitivity. Users will complain about their computer being slow to respond, but it does go some way to preventing accidental moves. If you're running an AD server, you might be able to set this as group policy, but I don't know because I haven't tried.

hmm, that sucks. So I can't even use Access Control Lists for this?

is it an ext4 filesystem (that you want to access from windows)? Or?

You probably could, if you only have one or even just a few directories to protect... but it'd be on a per-directory basis, and a PITA to administer if you have to change something... Not something you'd want to do if you had tens or hundreds of directories.

There is another solution: https://github.com/broken-e/DragDropConfirm. This causes a confirmation dialog box to pop-up every time someone tries to move or rename a file or directory. You'd need to install it at the client end... and trust that your users aren't stupid enough to click OK instead of Cancel.