Steps to recreate and test:
1. Create a folder, name it TestRoot. Grant all permissions to Domain Admins, Domain Users.
2. Create a sub-folder of TestRoot, name it TestFolder. Untick inherits permissions on TestFolder and grant all permissions to Domain Admins.
3. Grant Domain Users just traverse folder, read attributes, read ext attributes and read permissions to the TestFolder but ensure these permissions apply to just this folder.
4. Log in as a Domain User. You should find you're now able to rename the TestFolder and even remove the TestFolder entirely even though the permissons on the TestFolder would seem to suggest Domain User only has read permissions over the TestFolder
It would seem that the parent folder is still enforcing it's permissions ACL over the TestFolder despite inheritance being broken between the TestRoot folder and the TestFolder and TestFolders ACL modified as described above.
Can anyone explain?
The objective is to allow users to modify the TestRoot folders contents but be unable to rename or delete the TestFolder while being able to browse into TestFolder and read its content.