Root shared and subfolder resrictions

Hello all,
I have a weird issue. I have set it up before and was doing it again but failed to work.

I have four groups and they are members of mgmt
I have a share called data   and mgmt has full share rights.
then I have four sub folders that are have NTFS set for each group repectively with no inheritance.
so group A should not be able to access any of the other shares except A.

What is happening is that all the groups can access each other but cannot delete or rename, they can however create stuff. very weird.

I have set it up before and it is set like that with no issues on, but I am having problems here and not sure why.
please help
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

you need to assign the permissions on both the share and security permissions of the folders

When you create a new shared resource, the Everyone group is automatically assigned the Read permission, which is the most restrictive.  Share permissions do not apply to users logging g on locally, such as on a terminal server. In these cases, use access control on NTFS to set permissions.

If you use Microsoft Windows Explorer or the Cacls.exe utility, you cannot assign NTFS file system permissions to the root directory of an NTFS volume if the volume is mounted by using a mount point, or no drive letter.

The DACL lists permissions by the object first, followed by the object's parent, then the grandparent, and so on up the directory tree. Each layer has the Deny permissions listed before the Allow permissions. The evaluation starts at the child and checks the permissions at that level before continuing up the tree. This process goes level by level until one of three things happen:

If the evaluation finds a Deny for the requested action, the evaluation stops and the action is denied.
If the evaluation finds an Allow for the requested action, the evaluation stops and the action is allowed.
If the evaluation made it to the top of the tree and the action does not have an Allow or Deny permission specified, the action is still denied.
onlinerackAuthor Commented:
the everyone was removed.
They are not locally, they are coming through drive mappings.
I have their group set as full control in the root share.
then every group has access to each subfolder below it and inherited is disabled.
somehow all the groups seem to be able to access each others folders and create stuff. but cannot rename or delete the original data.
they are not coming through terminal
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

Set it up like this:

"DATA" share - share permissions should be Domain Admins - Full control --- Everyone, Change and Read  (everyone in 2003 doesn't include anonymous so no worries)

Create FolderA, you'll need to make sure then to uninherit permissions...copy them over, then remove anyone but domain admins then....

FolderA - folder in the Data share -- NTFS permissions should be Domain Admins - Full Control --- local FolderA group has Modify rights

You will need to create the local group on the server called FolderA.  Then add to that local group any global groups for this Folder that you create in Active Directory.  For instance, if you want Bob and Tom to have access to FolderA, create a global group in AD called SERVER_FOLDERA, then add them to that group.  Then add that global group to the local group on the server.

It's just best practice to create local groups and then assign global groups to them, then assign the local groups to have the permissions, just FYI.

Repeat for all 4 subfolders.

NOTE:  Obviously if someone is in more than one of the global groups, they'll have access to more than one sub-folder...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
onlinerackAuthor Commented:
Thank you for your answer.
followed it.
It turns out the the server\users were granted readonly access to all shares and this is why they could see all the shares so I removed it and it was working well. I have however redid the local groups and added the global into them and it worked well.
well done :)
Thanks for the points!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.