Dear all, I got the following situation, a share called "Bureaus", with the follwong subdirs: /Bureaus/A /Bureaus/B /Bureaus/C etc. where A,B,C.. are the bureau names under all the bureau names are directories: A/Task1 A/Task2 A/Task3 A/Archive For all the bureau names. I've got groups, a groups, everyone is a member of "Domain Users", and that's also always the primary group. And, a group A, a group B etc, and groups "Task1 A", Task1 B"..."Task2 A" etc. The simple idea is to give everyone access to Bureaus, only those who are member of group A can go into /Bureaus/A, and only those who are a member of group "Task1 A" can go to /Bureaus/A/Task1 and do there whatevery they want. So fa so good, I've made acl's which allow "Domain Users" to r-x /Bureau, without passing this to the subdirectories, an acl which allows r-x to group A (also without allowing this to subfolders) for /Bureau/A, and for /Bureau/A/Task1 including subdirectories the acl is "allow group Task1 everything". That works fine. But now for the Archive directory, the /Bureau/A/Archive should be read-only for members of the group A, and read-write for members of the group "Archive Mods A". And that's the problem, if I add an acl (with the windows rights management stuff) for the group A to have read-only right for /Bureau/A/Archive and subdirectories, and for the same directories an acl with "allow everything" for members of the group "Archive Mods A", then the effitive rights for members of "Archive Mods A" is read-only, since the most restrictive rights apply. What I expected at first was that the rights would be additive and only a deny would have the effect which I'm seeing now. How can I make it work? The options I have: global: map acl inherit = Yes The share /Bureaus: path = /samba/Bureau public = no browseable = yes writable = yes printable = no force create mode = 0770 directory mask = 0770 security mask = 0777 force security mode = 0 directory security mask = 0777 force directory security mode = 0 hide unreadable = yes Kind regards, Jeroen Vriesman.