We have a typical file share, root - sub1-sub2-sub3. Permissions are inherited and we use the Domain Users group to give all the user permissions, which is Modify. We want to restrict sub3 to a small set of users. We do not want anyone else to see the contents of sub3. Here is what I did:
1. Create an AD security group for the set of users.
2. On sub 3 go into properties-permissions-advanced permissions-change permissions and uncheck include inheritable permissions.
3. Go back to Security - Edit permissions and add the AD security group with all permissions except full control. Remove Domain users.
After doing this access is denied for the security group users. When I check Effective permissions it says they do have the permissions I assigned the group. I thought this is how I used to do this but obviously I am missing something.
Thanks
Don't sweat the hard stuff."
