Forum Discussion
Inheritance--problems caused by bidirectionality
Is there any way to inherit permissions downward to child subsites without also generating permissions upward to the parent site? when a group must be given access to a subsite? There are multip...
Only suggestion I have for this scenario is use AD groups inside of your SharePoint groups. Create your basic SharePoint groups if they don't exist already, then add the AD groups to the SharePoint groups if they need to be propagated since all your sites have the original SharePoint security groups. Then if you need to have an exception, add the AD group to the subsite directly.
thanks. that is what i do currently, but the problem arises like this: i want an AD group to have access to one subsite but not the entire tree. to effectuate that, i have to break inheritance for that subsite. then, if i want to add or delete an AD group to the entire set of site and subsites, i have to manage the broken-inheritance sites separately. that's actually less of a problem than figuring out which sites--or document libraries--have broken inheritance; there doesn't seem to be a way to report that.