I've been working on this off and on for weeks now, and I'm really getting nowhere. We have a network share that everyone in our company has access to, called SharedFiles. It's located on our server, running SBS 2008. Recently, we wanted to start closing down access to certain folders - only those in the IT security group can access the Applications sub-folder and such. So I set up the security groups, granted permissions, and tested them with the Effective Permissions feature. Everyone has the appropriate permissions according to that, but in practice whenever someone tries to access a folder they should have rights to, they are given "Access is Denied". The permissions grant full control of a folder to specific groups. Folder A grants full control to members of the SecA security group, for example. While no one is denied permission explicitly, not even Administrators are listed as having permission. Our goal is that having admin privileges isn't enough to access. We want the user to be part of the SecA group.
Initially, I was getting this "Access Denied" problem with Administrators as well, but now it's only Domain Users. I managed to find a thread that confirmed this was caused by UAC and mentioned that Administrators can avoid this problem while still maintaining UAC on the server by adding special permissions the Authenticated Users group in the top level folder, the one that is actually shared:
Authenticated Users - (List Folder / Read Data) (Read Attributes) (Read Extended Attributes) and (Read Permissions) applied to "This folder only"
That did work for all users with Administrative rights. They can access folders that they have rights to, but are denied other folders they don't have rights to. For example, we have Folder A and Folder B. Admin1 is part of the SecA group, but not the SecB group. With the above Authenticated Users permissions in place, Admin1 can access Folder A, but not Folder B. This is what we expect and what we want. However, the same does not apply to Domain Users. Regular users with no admin rights are denied access, even when the Effective Permissions confirms that they should have full control. Thus far, I have not found a way to properly clamp down access. In theory I could just turn off UAC and be done with it, but I don't feel that's really a solution. What can be done to get this to work?