Hello to all.
I'm using a Windows Server 2008 R2 Enterprise ServicePack 1.
I'd like to define some Groups.
E.g: MarketingGroup, ProductionGroup, SupportGroup.
And I'd like to create some Folder with group permission (also Deny Write or Deny All)
E.g:
\Marketing --> MarketingGroup (Full Control); ProductionGroup (Deny Write); SupportGroup (Deny Write)
\Marketing\Offers --> MarketingGroup (Full Control); ProductionGroup (Deny All); SupportGroup (Deny All)
\Production --> ProductionGroup (Full Control); MarketingGroup (Deny Write); SupportGroup (Deny Write)
\Support --> SupportGroup (Full Control); ProductionGroup (Deny Write); MarketingGroup (Deny Write)
The problem is: if I define an User that is member of more groups, also if it has grant to "Write" in a folder, the "Deny" permission is stronger then the "Allow" permission so it can't modify anything in the folder.
E.g: Tecnical1 (member of ProductionGroup and SupportGroup)
\Marketing --> Deny Write (OK)
\Marketing\Offers --> Deny All (OK)
\Production --> Deny Write (KO!!!! Instead of Full Control of ProductionGroup)
\Support --> Deny Write (KO!!!! Instead of Full Control of SupportGroup)
How can I get around this behavior?
Can I only create groups that logically identify the set of multiple groups? But so it will terminate the logic that a user can belong to several groups and it is even more messed up to maintain groups and allowed permissions during the reorganization of the company...
Can anyone help me? Thanks in advance.