I have a Windows Storage Server 2008 machine acting as our company file server. I need to give someone access to same folder and files in our Marketing folder (which contains easily 100,000+ files). The user needs access to Marketing/images, but nothing else in the marketing folder. So my thought is to add read privileges to the Marketing folder, and then add read/write to the images folder, subfolders and files.
When I go to add the permissions on the Marketing folder, I select the correct read permissions and then I set the scope to "This folder only". When I click apply, it seems to touch every file within the Marketing folder (which takes forever). In the end it only added his permissions to the Marketing folder like I expected, but it still had to touch every other single file.
What is it doing? All the other files inherit their permissions, so is it telling every single file "Inherit permissions from Marketing except for user John Doe"? Am I doing it wrong?
What you did is correct. The behavior you noticed (the process takes "forever" and every directory and and file in the tree seems to be touched) is just the way the ACL APIs are implemented. The code probably does not check what was changed, so that it does not know that, in this specific case, it is not necessary to recurse down the tree.
joeqwerty's answer is correct, too. I would like to emphasize that end users may not be comfortable working with paths that can be accessed directly (specifying the full path) but not browsed (moving down the hierarchy in Explorer from the root directory down).
You can actually just grant the user the appropriate permissions directly on the images folder without giving them any permissions on the parent folder. The "Bypass traverse checking" user right will allow the user to traverse a set of folders to which they have no permissions to get to a folder to which they do have permissions. Note that the user will have to explicitly access the path to the images folder as they won't be able to browse to it.
From the "Bypass traverse checking" user right explanation:
Bypass traverse checking
This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.
Default on workstations and servers:
Administrators Backup Operators Users Everyone Local Service Network Service
Default on domain controllers:
Administrators Authenticated Users Everyone Local Service Network Service Pre-Windows 2000 Compatible Access