Question : Shares and Subfolder Permissions

This will be a no brainier for most of you but I've worked on it too long and am completely confused now. I think I could get it if I had more time but the deadline is closing in.

I need our domain users to access subfolders in shares on a Windows 2003 file server however I need to limit which users access which subfolders.

Say Share1 has Subfolder1, subfolder2, subfolder3... so on. Only user1 should have access to all the subfolders, user2 should only have access to subfolder2 and user3 access to subfolders 1 & 3.

If I have to give them all read, change access in the share, how do I limit the subfolder access? When I put read/change on the share then each user has that access to each subfolder no matter how I set the folder permissions. I've been experimenting but nothing works so far.

Thanks

Answer : Shares and Subfolder Permissions

Do yourself a favor: Always give the Everyone group full share permissions (Properties--Share--Permissions).
Then use NTFS rights to secure the folder itself and/or the subfolders in there.
As for handling those NTFS rights: Don't ever give access to a folder on a "per user" basis. That will finally turn out into your administrative nightmare.
Follow the golden AGLP rule (except for home directories): Accounts go into Global groups, global groups go into Local groups, Permissions are applied to local groups.
For each folder that you want to apply permissions to, (on the machine which hosts the folder) create a (domain) local group with a proper naming scheme (for example LNTFSFolderName-F: members of this group will have Full access to the folder FolderName; LNTFSFolderName-R: members will have Read access to this folder).
If you don't have already matching global groups with the users in it, create new ones (for example GNTFSFolderName-F; but you might just use an existing group for a department share). Make the global groups member of the according local groups.
From then on, access to folders can granted/revoked by simply adding/removing users from global groups, without having to edit ACLs.
If you have a W2k domain (or higher) running in native mode, you can/should use domain local groups instead of "real" local groups.

Random Solutions

Measuring Bandwidth Usage

sharing folders windows XP

How to "uninstall" a printer using a logon / startup script

Is JSMS engine able to work with Nokia 3650 using bluetooth as a visual serial connetion?

Is skype a sip protocol

GRE tunnel on Cisco 2600

Connecting Linksys or D-link Wireless Enet Router with ANY wireless PCMCIA card

Enable SNMP on PIX 501

Exchange 2007 Outlook Anywhere on 2008 Server with ISA 2006 Firewall

How to configure Fedora 11 to receive the email for a normal OS user