Well, it's a Monday, and we all know that Mondays tend to be the weird days, where we forget how to do certain things that would otherwise come easy. So I have this NW Server that's gonna be a file server at some point, and I'm trying to employ some unique permission settings on an NSS volume called 'DATA'. Now I could've swore that they worked fine in the past, but now they don't for some reason, and being that it's a Monday, I'm utterly baffled. I know if I wait till tomorrow, I'll probably figure it out, but maybe someone here can jog my memory a little bit.

So here's an example diagram of how I have the file system laid out:
  |    |
  |    |-depts\
  |    |    |
  |    |    |-One\
  |    |    |-Two\
  |    |    |-Three\
  |    |
  |    |-global\

As the diagram shows, in the 'depts' sub folder, I have three departments, and I want to control access to them via group objects. So I'll create three group objects somewhere in my Tree such as "dept-One', 'dept-Two', and 'dept-Three', plug the users into the appropriate groups, and get that side of things squared away.

So in the user's login scripts, I want to map a drive, say R:, to DATA:\SHARED\DEPTS, and when the user clicks on R:, they would only see the folders for each department that they have rights to (controlled by which department groups that they are a member of).

Now my understanding of NSS permissions is that, if I grant a user/group at minimum, read and file scan to a folder that's a sub-folder of another folder, then they're supposed to be able to get past the parent folder to reach the sub-folder, even if they lack any rights to the parent folder at all. Better stated, I have no trustees assigned to DATA:\SHARED or DATA:\SHARED\DEPTS; only to DATA:\SHARED\DEPTS\One, and so on. So I should be able to map R: as indicated above, and if a user is in 'dept-One' and 'dept-Three', then they would see only the 'One' and 'Three' folders under R:.

At least, that's my understanding by analyzing our existing, dare I say antiquated, NW5 server's file system layout. But when I try to replicate this on my NW65SP7 server, the mapping operation fails in the login script with error 8804 when mapping to DATA:\SHARED\DEPTS, and I can't figure out why. If I map a drive to DATA:\SHARED, then DEPTS isn't even visible, even though I should have read rights (at minimum) to a folder underneath of it.

If I create a global user group, say 'all-users', and grant it even just file scan rights to the top level folders, like DEPTS, then the user, when clicking on R: sees all department sub-folders instead just the ones visible to them via their group memberships.

I figure I'm missing something. As my father says, "If it were a snake, it'd bite you.", and well, this is a snake that's very likely going to latch on and not let go here.