I have a problem with QNAP NAS, subfolder and ACL permissions.
That has been discussed over and over in this forum but sadly I did not find a solution to my issue yet
The System
QNAP TVS-671-i5-8G
Firmware 4.3.3.0210
The Problem
I try to set up the folder structure to be used by Windows clients/users with active directory-authentication afterwards.
The users shall not change anything on the share itself (read-only) but should have write access to some subfolders.
Example:
Share "Documents"
--- Folder "Department A"
--- Folder "Department B"
People that work in "Department A" shall not access "Department B" and otherwise around.
Configuration
QNAP
Connected to the local domain.
Created the share "Documents" with full access for QNAP\admin and domain\domain-administrators.
Activated the use of ACL and extended folder permissions on the QNAP.
Windows
In Windows Explorer I created the folder "Department A" with read/write access for group domain\department a, full access for domain\domain-administrators.
Created a GPO that gives "Department A" a network share with UNC \\QNAP\Documents\Department A.
The same with "Department B".
Result
That way users from "Department A" are not able to access the folder "Department A" at all
No problems with a domain administrator account.
Adding read-only to the share "Documents" for domain\domain-users lets me access the Folder "Department A" but it is just read-only.
Somehow the permissions from the Share above overwrite the permissions for the department.
So I deactivated permission inheritance on the subfolders and set all permissions manually:
Folder "Department A"
full access for qnap\admin
full access for domain\domain-administrators
read-write for group department a
Still no joy, the problem stays the same.
Checked share permissions and they are set to anyone with full access.
I have the strong feeling that I am overlooking something.
Right now I am scratching my head and try to figure out what I am missing.
Hopefully you can point me in the right direction.
Greetings
isard
Edit:
Seems that I am pretty much doing the same as mentioned by schumaku in his first post here: viewtopic.php?t=115371.
I guess I am on the right track somehow...