I have a security group called Users and a group called Bosses
I have a network share called PROJECTS with lots of subfolders, general permissions are defined at the root level of the PROJECTS folder and are inherited through subfolders.
Within a typical subfolder called PROJECT1 the USERS have the following permissions
Modify - Read & Execute - List Folder Contents - Read - Write
all of these are Checked off. Full control is not Checked off.
BOSS is a subdirectory of PROJECT1 and the Bosses want this folder to be read-only to the USERS but modifiable to members of BOSSES
Only the Bosses are members of the BOSSES group, but everyone is a member of the USERS group - including the Bosses.
I can't really modify the share permissions as the whole PROJECT is shared not just this subfolder. So I have to use NTFS permissions
The first thing I would do is go to advanced security for the BOSS folder and disable inheritance and select Copy keeping the original permissions
I would add the BOSSES group to the permissions of the BOSS folder and grant modify or full control.
But how do I configure it so that the BOSS folder or its contents can be read but not modified by anyone in the USERS group who is not also a member of BOSSES
I can't (and probably should not) use Deny in the USERS permissions as this would deny the BOSSES as well, Deny takes precedent over allow...
This is surely a common request - but I am stumped
I need idiot proof instructions - like check this, uncheck this
TIA - TOMG