Greetings!
My aim: Protect a Share only with DAC and without using AD-Groups, but allow different access to differently classified users.
In Detail:
Share - Auth.Users - Full
NTFS - Auth.Users - Full (come down, testing purposes ;-)
DAC - AD-Users with Attribute "Department" IT - Modify
Everything works fine - as long as I do this:
CentralAccessRule1, condition:user.department equal resource.department
-> Users without the department-attribute: no access at all; Users with Attribute department set: modify
Ok, next step, problems arising. I want: Users with an additional attribute "Title" Manager to have FullAccess
DAC - AD-Users with attribute "Department" IT - Modify AND attribute "Title" Manager - Full
CentralAccessRule2, user.department equal resource.department AND user.title equal resource.title
BANG!
Now a user with the atrribute "department" has no longer access, forbidden because of CAR2.
A User with both attributes set has modify, full is forbidden because of CAR1.
What am I missing? It can't be impossible, I'm sure I got something wrong...
Thank you all, any hints are appreciated!
OJ