How do I deny a user in AD Win2003 access to all directories in one parent, except one?

We use a program for internet file sharing called Filevista.  It integrates to an extent with AD.  I have a Group called 'Filevista Users' that have been given access to a directory (Directory 1) on our network in order to use Filevista.  There is currently only one User (User1) in Filevista Users Group.  This User belongs to this Group only.  'Directory 1' has many subdirectories (Subdirectory N).  I've created a second User (User2) that needs permission to access only one subdirectory (Subdirectory 1) and be denied access to all other subdirectories.  I need for the 'Filevista Users Group' to still have full access to all subdirectories.

I'm having trouble making this work.  I've denied User2 permissions to all subdirectories other than Subdirectory 1.  For some reason, User2 can still access all subdirectories.  I'm sure I have the permission entries incorrect.  Can someone please be specific about how permissions need to be applied for User2, and possibly the Filevista Users Group to Directory 1 and all Subdirectories?  thanks
GeorgeMartin601Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
If you deny the user on the folder permissions and share permissions user should NOT be able to access even if it is part of the group since the most restictive permissions are applied.
Hypercat (Deb)Commented:
The way you have this configured, because Subdirectory1 is inside Directory 1, User2 will need to have at least read access to Directory 1.  What I would do in this case is not to make the user a member of the FileVista group at all. I would simply give the user account read only permission to Directory 1 (this folder only), and then give him/her Modify permission to Subdirectory 1. Another way to do it would be to create a separate share for Subdirectory 1, and then give User 2 permission at the sharing and NTFS level for that folder and subfolders.
GeorgeMartin601Author Commented:
Hypercat - which group would User2 need to be a part of it not the filevista group - just Users?  I need them to not even be able to log into our domain?
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Hypercat (Deb)Commented:
They have to be logged in to your domain in order to participate in the domain security you are setting up. If the user isn't logging in to your domain, how does he/she get access to these files? I don't know anything about FileVista, but is this a program that somehow allows external access without requiring the user to log on to your domain?
GeorgeMartin601Author Commented:
It works with IIS and utilizes what it calls a "service user".  the Service user is a member of domain users.  the filevista users group itself is a member of no other groups.  This "service user" is also a member of filevista users group.  

I'd agree with Dariusg, but for some reason the deny permissions just aren't working.  It may have something to do with the service user.  
Hypercat (Deb)Commented:
That is the case. Are the "User 1" and "User 2" logins program logins for the FileVista program? If that's the case, then the NTFS file permissions would be controlled by the domain login, which is the Service user account. So, if the Service User is a member of the Domain Users group, then all of the FileVista users will have the same level of permissions as the Domain Users group.  I think what you need to do is make the Service user account a member of a separate group, like Domain Guests, that has privileges only to log in to the domain, and then as a member of the FileVista group it will have NTFS permissions to access the set of files you've set up.  Give that a test and see if it works to allow the users to log in and access the files they need.

Unfortunately, with the setup you have, assuming that User 1 and User 2 are not actually domain accounts, there's no way to restrict User 2 to a specific set of files. You'd have to create a second FileVista group with limited NTFS permissions to the files, and create a second IIS login for User 2 with the same Domain Guest membership and membership in the second FileVista group. That should work.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GeorgeMartin601Author Commented:
I'll try that and report back.  May take 'til Monday.  thanks
GeorgeMartin601Author Commented:
I found my answer from the maker of the product.  The bottom line was some settings needed to be made within the software itself.  thanks to all
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.