Windows Folder persmissions and Inheritance help

[nRiTeCh]

Guys in my co. we are to restructure our existing fileserver but with proper permissions this time on windows server 2k8.

Long query short...
*******************************************************************************************************
We have this "REPO" parent folder in root.
Inside this Repo folder we got 3 sub-folders: G1/G2/G3.

And have created 3 Users:
T1/ T2/ T3

Now we have created 3 User Groups in AD:
G1/ G2/ G3

User in AD groups:
T1 is in G1 /G3 group
T2 is in G2 group
T3 is in G2 /G3 group

Permissions to set:

User T1 will have full or modify access to G1 and G3
User T2 will have full or modify access to G2 but denied access to G1 /G2
User T3 will have full or modify access to G3 and G2 but denied access to G1
*******************************************************************************************************


So how achieve the set permissions target?

 

[nRiTeCh]

Not sorted yet.
We are 60% done except that the condition is getting satisfied for only one user but for rest users they are able to access their given folders but not able to create any files/folders.

 

[nRiTeCh]

No one?? @vivek.krishnan if you can pitch in...

 

[savrom]

Please refer the below articles for help

https://technet.microsoft.com/en-us/library/dd277411.aspx
http://www.addictivetips.com/windows-tips/windows-7-access-denied-permission-ownership/

 

[nRiTeCh]

Please refer the below articles for help

https://technet.microsoft.com/en-us/library/dd277411.aspx
http://www.addictivetips.com/windows-tips/windows-7-access-denied-permission-ownership/

Its already been referred alongwith other sites but for our requirement its not working.

 

[savrom]

Hmm, this is strange.

 

[Dowbot]

Break inheritance at REPO folder and clean up any unwanted permissions like domain users. (You can leave Creator Owner as it is)
Only add the fileserver administrator initially to the REPO folder. So only the admin should be able to access REPO and its subfolders G1, G2, G3..
Now add G1 group to G1 folder, G2 group to G2 folder, G3 group to G3 folder (Modify permission)
There is no need to Deny anything here as you have organized your users in to groups.

If you want to enable directory browsing for REPO.. you can set that permission for G1, G2, G3 groups in advanced security permissions of REPO and set list folder, traverse etc for only that folder in "Apply To".

EDIT: Please experiment only in test environment.

 

[vivek.krishnan]

I would suggest this as a two step process, as discussed on the phone -

First, get rid of all ACLs - use the icacls reset command

Next ensure that that group and user ACLs are correct.

Add rights to shares as required.