Assigning advanced rights to a large folder tree - Windows 2000 Server

I have a large standardized folder tree that is created for each project at my firm.  We use an empty template each time a new project is started.  A copy of the empty folder structure is started for each new project.

I would like to better understand how to create advanced read/write rights to accomplish the following tasks:

Example Structure

Root Folder--|
                   |-----Subfolder1
                   |-----Subfolder2
                   |-----Subfolder3
                   |-----Subfolder4
                          |--Insidefolder4

Rights summary
The root folder will have all rights assigned to Domain Admins (this should be inhertited all the way through the chain) and read only rights to all other users (assume the AD group for this is called "Projects")

Subfolder1 should allow members of the "Projects" group to create files but not folders

Subfolder2 should allow members of the "Projects" group to create folders but not files

Subfolder3 should allow members of the "Projects" group to create folders and files

Subfolder4 should not allow the creation of files or folders.  Nothing exists at this level except for other pre-determined folders.

I've played with the advanced security rights, but am still struggling with getting it right.  All help will be appreciated.

janeedlesAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rant32Commented:
1) On a big, important folder tree it is best practice to create a special security group ("Fileserver Admin" or something) that's not related to Domain Admins. You don't want to separate things later on when the security is all in place, and somebody decides that Domain Admins have nothing to do with files. Just an idea.

Root folder:
Fileserver Admin - FC (nothing special)
Projects - Read (nothing special)

Subfolder 1
Select the Projects group and enable the Modify checkbox.
Click Advanced.
Now there are two lines with the users group - Modify & Read-Execute. Select the line that has Modify as Permission
click View/Edit.
Change the 'Apply onto' field to Files only. OK your way out.

Subfolder 2
Exactly the same deal as Subfolder 1, but:
Change the 'Apply onto' field to 'Subfolders only'.

Subfolder 3
Grant Modify permission

Subfolder 4
Nothing changes, read-only.

Hope this helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.