OK, something I've just noticed—it seems like it's the POSIX staff permissions that's causing this. Right now, staff is set to Read Only and the users can't write to the folder. But, if I change the staff permissions to Read & Write, the users can now write to the folder. BUT, they can also DELETE from the folder, so it's like the extended ACL permissions are of no use? The ACL says they should have ready, write but not delete, yet they can delete (if staff can Read & Write).
Could someone explain what's going on here?
maybe it's just a little bit late, but this week i had the same problem with one of our customers.
Here's the support doc from Apple which explains, why you have to set DELETE permissions in Server-App: