We control access to our file shares using Security Groups in AD.
\ZONE
ZONE Group (Read & Execute, This Folder only) ZONE-Write Group (Modify, This folder, subfolders and files)
user "rick.deckard" is in the ZONE-Write Security Group and so has Modify access to the whole \ZONE folder.
If rick.deckard creates a directory
\ZONE\BR1
A "rick.deckard" ACE goes into the ACL for the BR1 directory, with "Full Control, This folder only".
If we subsequently remove "rick.deckard" from the ZONE-Write Security Group, he can't access the ZONE tree at all. Unless, he maps to \ZONE\BR1 direct and then he still has full control in that directory!
These user based ACE entries in ACL remain even after access via the Security Group has been revoked.
Is this normal behaviour?
How do we set up a "Security Group only" method of conferring access to the ZONE directory, whereby upon directory creation, specific user ACE's are not installed?
Any help would be appreciated.
