I have a Windows shared folder that contains a two level hierarchy. The permissions are managed by security groups. The interesting permissions are set in the second level. A first level folder should only be visible if the user can see access any second level folder. I would like to simplify management of the first level by "reverse inheriting" permissions. Moreover no one expect the Admins should be capable to do any change on the first level including the second level folders.
The setup
Windows Server 2008 R2 in Domain
Hierarchy:
- Project A (group-a-all, read on directory only)
- Team A1 (group-a1, full permission)
- Files
- Team A2 (group-a2, full permission)
- Files
- Team A1 (group-a1, full permission)
- Project B (group-b-all, read on directory only)
- Team B1 (group-b1, full permission)
- Files
- Team A2 (group-a2, full permission)
- Files
- Team B1 (group-b1, full permission)
- [Fixer (group-a1)]
The groups group-a1 and group-a2 are members of group-a-all. The accessing user is member of group-a1 for example. To prevent changes or deleting on the second level I defined in addition that the group-a1 cannot change or delete on the specific folder.
The effect
The user is member of group-a1. She sees the Project A folder. But not the Team A1. Not until I created some Fixer folder with permissions containing group-a1. This works even if the permission is outside the Project A tee. So it seems that the second level permissions do only work if these permissions (AD Security Groups) have been used in the first level.
Why is this so? Is there a better way to handle this scenario?
