It seems to me that a User should not get to keep their roles in the acquired objects which are above the User Folder in which the user is defined... However, that does not seem to be true according my testing. This is what happens. Imagine a tree like this root-folder1-acl_users \folder2-object1 root has a role called 'User' with 'View' permissions (anonymous is disabled) and acl_users has a user called joe. joe can access objects in folder2 according to the permissions set on the root by using acquisition like this: http://server/folder1/folder2/object1 joe cannot however, access them directly: http://server/folder2/object1 Does this seem strange to anybody else, or have I just been working too long? _____________________________________________________ Tim McLaughlin iterationZERO - www.iterationzero.com 703-481-2233