Mimic NDS file permissions in Windows NTFS environment

I am trying to mimic Novell NDS file permissions on a windows NTFS box.
Here is the basic problem:
I have a share named Vol2 which consists of multiple directories that contain thousands of subfolders.  
Vol2 \Parent1
In Novell I can grant read access to Grandchild 1 and the user is automatically given traversal access to Child1.  In Windows this does not occur.  If I give access to Grandchild1 the user is not give access to child1.  
For a few nested directories this is not an issue but when nesting reaches 10 folders deep it becomes an issue.  
Is there a proper way to mimic the NDS rights in a Windows environment  or a best practices method of doing this?
Note: I cannot simply create new shares b\c users have files with embedded links that rely on specific shares and directory paths.

Who is Participating?
ShineOnConnect With a Mentor Commented:
First off, NDS (now called eDirectory) is a directory service, not a filesystem.  The NetWare filesystem (nwfs) and Novell Storage Services (nss) which can be on modern NetWare or Novell OES/Linux, is what you're talking about.  Dynamic inheritance is the term.  Rights (not Permissions) get inherited bidirectionally, so not only does the user or other object inherit rights to a child from a parent, necessary rights to see the path to the parent dynamically "reverse inherit" up the directory tree.  Not so with NTFS.

Novell is the company name, by the way - it's either NetWare or OES, when talking about their Enterprise-class Network Operating Systems.  You say, "In Windows this does not occur." - you don't say "In Microsoft this does not occur."

Anyway, sorry to say, but you're pretty-much out of luck.  The only way permissions inherit automatically is when the permissions are initially granted.  Any changes at any level of NTFS after the initial permissions inheritance takes place requires you to manually force inheritance again - and you have to be careful when forcing inheritance that you don't override the self-contradicting "deny permissions."

There is no such thing as dynamic inheritance with Windows NTFS.  You have to manually force inheritance when the static ACL's break down.   That's by choice.  When Microsoft was in the heat of battle with Novell over network supremacy, they FUDded people into thinking that their old, tired static ACL scheme was superior to Novell's dynamic inheritance, claiming it was more efficient and faster.  Both lies.  It's far inferior to NWFS or NSS, as you are learning the hard way.

I, too, am looking for a way to resolve the built-in, flawed inheritance scheme Microsoft has saddled us with, so I don't have to putz with forcing NTFS permissions re-inheritance.

I've heard that Windows Server 2008 may have this problem resolved, at least to some degree, but of course Microsoft would never back-port the fix to Windows Server 2003 R2 - they want us to spend more money over and over in an endless upgrade cycle just to get bugfixes that shouldn't have been there to begin with, because the technology was available well over a decade, going on 20 years, ago.

If anyone out there has a third party tool or a tweak or something, you'd be a hero to many disgruntled former NetWare admins that miss the superior technology they were forced off of because of politics or PHBs.

Or, would we be better off dumping Windows for Linux and ZFS? ;)

Anyway, the only way I'm aware of to make sure you can do what you are trying to do is with a combination of shares and NTFS permissions.  You can establish a share at any point in a folder structure, and the visibility of child folders flow from the share.  If you don't want to grant regular access permissions to multiple levels of parent folders all the way up to the share, you can create a share at that grandchild level directly.

To do it that way you have to change how things are accessed in general.  If you want to only have a single mapped drive and access everything off that, then the multiple "subordinate" shares won't work for you, because with Windows/AD you have to map to a share - and if the user doesn't have intermediate folder-level visibility, you can't map directly to a great-grandchild of a share - they have to be able to see the whole path from the share.  But, if you can use UNC, you could point them at the "subordinate" share at that multi-grandchild level directly, bypassing the need to have visibility of the interim folders up to the root.

Does that make sense?  I know, it's so much easier with NetWare, but we've been forced to work with the bill of goods our PHB's were sold, so we have to change how we do things to mitigate the shortcomings of AD/NTFS.

Another tool to mitigate the shortcomings of AD/NTFS is the AGUDLP permissions/groups method, which is the recommended method to avoid "permissions hell."  If you always - ALWAYS - stick to the standard of Accounts > Global groups>Universal groups>Domain Local groups> Permissions, then you'll be much happier down the road.
onlineofmqAuthor Commented:
Thanks. I was afraid you were going to say what you said about  dynamic inheritance.  Basically, we are just going to have to give our users read only permissions to the parent folders leading to the folder in which they should have full control access.  At least we can still use ABE to hide directories for which users do not need access to.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.