I posted this problem back in June of '06 and choose to go with the following answer and since have TRIED to apply the rules as follows. I have yet to get this to work, it does not matter what I do at this point everyone still gets access to the Financial folders and I can not figure out how to trouble shoot this out. Here is what I was told to setup but obviously do not have it correct.......
If someone can tell me how I can make this work I would greatly appreciate the help.
Accepted Answer from oBdA
Date: 07/11/2006 07:38AM PDT
I concur with leew as far as permissions for users and the use of Denys is concerned.
The "official" way to give permissions, though, is not to use global groups directly to assign permissions, but local groups, using the AG(D)LP rule: *A*ccounts are members of *G*lobal groups, global groups are members of (*D*omain) *L*ocal groups, *P*ermissions are applied to local groups (on the server hosting the resource).
This allows you to separate the folder permissions from the roles that your users have, and will reduce the number of global groups a user is member of.
In your case, do the following:
As *share* permissons, give the Everyone group Full Access.
For the time being, create four local groups on the file server hosting the share (if your domain is running in Windows 2000 native mode or higher, you can create domain local groups as well):
Change the permissions, first the WHC folder:
In this folder, give (local) Administrators and the System account Full permissions, and give the L-WHC-C group Change permissions; replace the permissions on child objects.
On the "Finance" subfolders of each folder, go the Advanced security tab, uncheck "Inherit permissions", check "Replace permissions", and copy the current permissions when asked. Remove the L-WHC-C group, add the L-xxxx-Fin-C group with Change permissions, leave Administrators and System with Full Access.
Create two global groups, G-Role1 and G-Role; Role1 for users with no access to the Finance folder, Role2 for users with access to all folders; you can use existing groups if they contain the correct users, and you can of course name them according to the roles the users have.
Add the G-Role1 group to the L-WHC-C group only.
Add the G-Role2 group to the L-WHC-C group and the L-xxxx-Fin groups.
Finally, add all users with no access to the finance group to the G-Role1 group, add all users with access to the finance folder as well to the G-Role2 folder.
From then on, you only need to add users to the respective global groups to give them permissions on the folders they need.
The concept is not too easy to grasp, but once you're used to it, it will save a lot of work.