I work for a very large company, spread across multiple domains (due to several acquisitions over the years). Each domain has the same set of divisions. Let's call them Corporate, Games, Mobile, and Timeshare.
I'm responsible for migrating my employer's file system to DFS and eventually consolidating these domains.
I have one share that needs to be accessible via RO by an entire division (Games), and via RW for a few select people.
We do not have a list of all of the employees in the Games division. Originally I was considering writing a script that checks the AD account's department field (hoping that each user even has that field filled out), but boss man said let's try a simpler route, as doing that would affect the on-boarding process of new users as well. As the data owner didn't mind opening it RO to the entire company, for sake of ease, he suggested adding the Domain Users group to the RO security group for the share, and then just adding the users who need RW access to the RW group. We realized that wouldn't work as it would take the lowest permission and apply them for the RW users.
This leaves me wondering if there is another method to achieve this?
ALSO, we cannot use dynamic groups.