Nested Folder Permissions

[Guest MJD]

I've enabled access based enumeration on our Server 2003 so users can only

see folders they have access to. In this folder, it has nested folders that

I have setup for managers & employees. What I want is when I give a user

permission to add/remove files at a folder level, it will then automatically

give them read or list contents permission to the parent folder(s).

 

Example:

Share

...Management

......Sales Department

......Accounting Department

...Users

......jdoe

 

If I give user jdoe full permissions to Sales Department, I want him to be

able to see the folder Share, inside Share he will see Management, and inside

Management folder he will only see Sales Department, not Accounting.

 

So far what I've tried is creating groups for each folder. I've tried

making nested groups so if I add him to the sales department group, it give

him full access to sales department folder and then read or list permission

to share & management folders. But I can only nest 1 group, I can't go past

putting one group inside another. Can you nest groups over and over? Group

E belongs to Group D, D belongs to C, C belongs to B, and B belongs to A.

Right now I can only go as far as Group B belongs to A, no furthur. Is my

idea even possible or another option available?

 

I hope this make sense.

[Guest Ace Fekay [MVP]]

Re: Nested Folder Permissions

 

In news:36840E34-AC47-4927-A77F-890B9855E332@microsoft.com,

MJD <MJD@discussions.microsoft.com> typed:

> I've enabled access based enumeration on our Server 2003 so users can

> only see folders they have access to. In this folder, it has nested

> folders that I have setup for managers & employees. What I want is

> when I give a user permission to add/remove files at a folder level,

> it will then automatically give them read or list contents permission

> to the parent folder(s).

>

> Example:

> Share

> ...Management

> ......Sales Department

> ......Accounting Department

> ...Users

> ......jdoe

>

> If I give user jdoe full permissions to Sales Department, I want him

> to be able to see the folder Share, inside Share he will see

> Management, and inside Management folder he will only see Sales

> Department, not Accounting.

>

> So far what I've tried is creating groups for each folder. I've tried

> making nested groups so if I add him to the sales department group,

> it give him full access to sales department folder and then read or

> list permission to share & management folders. But I can only nest 1

> group, I can't go past putting one group inside another. Can you

> nest groups over and over? Group E belongs to Group D, D belongs to

> C, C belongs to B, and B belongs to A. Right now I can only go as far

> as Group B belongs to A, no furthur. Is my idea even possible or

> another option available?

>

> I hope this make sense.

 

You can nest quite a bit, but honestly I don't remember what the limit is,

but what dictates nesting is what type of group can be nested into other

types. For example, in NT4, we followed the AGDLP rule, that is Add a user

into a Global Group, then add that Global Group into a Local group, then

apply permissions on the resource using the Local group and the user will

have access. With Windows 2000/2003, and if the domain level is set to 2003,

you have the option of nesting using the AGGUUDLP rule, which means Add a

user to a Global group, then nest that Global group into another and another

and another [...etc], and then add the last Global group to a Universal

group, (into another if you like), then add that to a Domain Local group,

then apply permissions on the resource using the Local group.

 

Also, you can only nest a global group into another Global group of the same

domain only. But you can take a Global of one domain and nest it into

another domain's Domain Local Group. Any globaly group can nest into any

Universal. Any Universal can nest into any domain's Domain Local group. But

a Domain Local cannot nest into a Global of itself or any other domain. When

you browse for the group, it will only show you the types of groups it will

allow you to nest depending on domain FL, etc.

 

So it depends on the domain level and what type of groups you are using.

Based on what I mentioned, can you elaborate on type of groups, domain FL,

etc?

 

--

Regards,

Ace

 

This posting is provided "AS-IS" with no warranties or guarantees and

confers no rights.

 

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,

MVP Microsoft MVP - Directory Services

Microsoft Certified Trainer

 

Infinite Diversities in Infinite Combinations

 

Having difficulty reading or finding responses to your post?

Try using Outlook Express or any other newsreader, configure a news

account, and point it to news.microsoft.com. Anonymous access. It's

easy and it's free:

 

How to Configure OEx for Internet News

http://support.microsoft.com/?id=171164

 

"Life isn't like a box of chocolates or a bowl of cherries or

peaches... Life is more like a jar of jalapenos. What you do today

may burn your butt tomorrow." - Garfield