Just to be clear I am NOT a Microsoft fan. But it appears that it makes
more sense if at some point we say for this folder down, this user no
longer has access no matter what container, group or alias, may have
rights further up the structure.

With the crappy Microsoft security rights, we can do this. It seams like
something that you would want to be able to do. Particularly given that in
ZenWorks you can make Policy search orders to determine what takes
precedance, it would be nice if there was such a thing for File access
rights. So that I can chose if I specify something at the user level that
takes precedence over the Group or container rights. (or possibly the
reverse but I would not see a need for it.)

Having these rights be additive simply makes it more combursome to manage.

I now have to make my user tamplate add the user as a trustee of the
parent folder so that I can later remove rights further down the file
system tree. Instead of being able to assign the Container right to the
parent folder and removing the users down the file system tree...

In that way it seams that in MY PARTICULAR CASE, Microsoft addresses this
issue more to my needs then Novell which is a scary thought for me, being
so pro-Novell.

Anyhow, I have a workaround for now with my template thingy, but I can't
help but think I am doing something wrong. I RARELY see situations where I
can say Microsoft can do it but Novell Cant...

Thanks for the help. IRF will not really help me in this scenario...

P.S. I have a hard time visualizing when having the file right be additive
is useful. I don't see my self using file rights in that way. e.g. at the
parent level the org has RF and at lower level the USERx has WERCA added
to it??? Why not implicitly stat that USERx has RWERCFA. Less confusing
too. I am guessing it is for backward compatibiliy, but I find it hard to
imagine some setting it up in a way that changing this would hurt... Worse
case make it a toggle switch that keeps file rigths compatible with older
systems or use the more intuative way of doing this.

I have had difficulty in the past in getting people to understand my
dilemma, I think I have made myself clear in this thread. I still find it
hard to think that I can't do this with Novell...