Re: Folder Permission Intersections



That is not going to change in Vista last I saw. If the user's security
token includes group membership to a group that is allowed access to an
object and is not a member of a group that has deny access the user is in
assuming the user has the user right to access this computer from the
network. You also can tweak the user right for access this computer from the
network to control access to shares. Say you had that share on a server that
the "regular users" did not need access to you could leave permissions as is
and then change the access this computer from the network to include
performance managers, administrators, and other authorized users though
personally I still would configure the new global groups to use in
permissions as part of best practice in assigning permissions to folders
that would protect the folders in case someone changed the user right to
access this computer from the network to allow all users again for that
server.

Steve



<beepeeoh@xxxxxxxxxxxxxx> wrote in message
news:1154505140.691175.217890@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks for your thoughts, even though they were confirming my fears!
You'd have thought it would've been a fairly simple option to set:

Allow access to the folder where Group="RA_MIIS" AND Group="Performance
Managers"

instead of the "OR" query we get now. What are the odds this will
change in Vista? (I've a fairly good idea as to what the answer will
be, but a guy's gotta dream!)

Looks like I'm gonna have to smile sweetly at the IT department!

Thanks again.

Ben

Steven L Umbach wrote:
You probably are best off creating a group for the performance managers
for
each division and then assigning that group permissions to their folder
but
also keep all the performance managers in the performance managers group
that you currently have which would be used to give permissions to the
parent folder. The other alternative is to explicitly grant only the
specific users that are performance managers for each division access to
their folder though in my opinion it is better to create the new groups
even
though it is a bit more work initially as it will be much less prone to
making errors assigning permissions and easier to manage when users
change
positions since you would only need to change a user's group membership
and
not modify the folder's permissions each time.

Steve


<beepeeoh@xxxxxxxxxxxxxx> wrote in message
news:1154472718.409032.218720@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
I'm not an administrator of any great experience, but I've a folder
permission problem I can't solve.
Everyone in my company is assigned to a division & are a member of the
appropriate divisional group on AD (eg MIIS_RA, MIIS_DA, etc). Each
division has its own Performance Manager & they are included in another
group (Performance Managers).
I would like to restrict a set of folders to just the Performance
Managers, but only allow them to access their own division's data, eg:

Root->
PerformanceData->
AA->
AC->
DA->
etc...

The AA folder should only be accessible if you are in both MIIS_AA and
Performance Managers. I've tried to limit the PerformanceData to just
Performance Managers, then AA to just MIIS_AA, but if the file path is
known, anyone from MIIS_AA can go straight to that folder.
Am I missing something? How can I do this without asking IT to split my
Performance Managers group into Performance Managers_AA, Performance
Managers_AC, etc?

Thanks in advance.

Ben




.