Mode versus ACL - the two are mostly incompatible with each other.

acl_vs_mode.pp

file { 'c:/tempperms/mode':
    ensure => directory,
    mode => 0770,
    owner => 'rob',
    group => 'Administrators',
}

# this is fun
# acl {'c:/tempperms/mode':
#   ensure => present,
#   #purge => true,
#   permissions => [
#    { identity => 'Administrator', rights => ['modify'] },
#    { identity => 'rob', rights => ['full'] }
#   ],
#   inherit_parent_permissions => false,
#   #owner => 'Administrators',
#   require => File['c:/tempperms/mode'],
# }

# this is in "sync" with the mode above, but you cannot add or
# remove from it without convergence thrashing
acl { 'c:\tempperms\mode':
  ensure                     => present,
  purge                      => true,
  group                      => 'S-1-5-32-544',
  inherit_parent_permissions => false,
  owner                      => 'rob',
  permissions                => [
   { identity => 'rob', rights => ["full"], affects => 'self_only' },
   { identity => 'BUILTIN\Administrators', rights => ["mask_specific"], mask => '1180159', affects => 'self_only' },
   { identity => 'Everyone', rights => ["mask_specific"], mask => '1179776', affects => 'self_only' },
   { identity => 'SYSTEM', rights => ["full"], affects => 'self_only' },
   { identity => 'CREATOR OWNER', rights => ["full"], child_types => 'containers', affects => 'children_only' },
   { identity => 'CREATOR GROUP', rights => ["mask_specific"], mask => '1180159', child_types => 'containers', affects => 'children_only' },
   { identity => 'CREATOR OWNER', rights => ["mask_specific"], mask => '2032095', child_types => 'objects', affects => 'children_only' },
   { identity => 'CREATOR GROUP', rights => ["mask_specific"], mask => '1180127', child_types => 'objects', affects => 'children_only' }
  ],
}

I think what you want to do, is add a validation method, and ensure there isn't another file resource in the catalog where mode is being managed, or owner/group are different than what is specified in the ACL