Sharepoint 2010 team site permissions

I'm probably doing something stupid but I just can't seem to get the permissions working correctly on my collection.

I have a site collection with a mixture of team sites and blogs. From the parent if I am a visitor/reader I can see everything apart from the sub team sites. The only way I can get the user to view the team sites is to grant them owner rights. If I grant any other permission they can't see the sites at all. Is there something I'm doing wrong here!?

Second issue is I am importing a legacy intranet into Sharepoint开发者_如何学Python, I need to be able to say everyone has read rights to all sites/content except a few AD groups don't have permissions to a particular site. Is it possible to create a group with no rights so for example "everyone" would be a reader/viewer but GroupA would not have access because they are part of the "access denied" group (even though they are in the reader group I presume the least permission should apply).

Hope that makes sense, seems like it should be possible but maybe I'm going about it the wrong way.

Thanks

Dan

Your first question: You should double check that the sub sites are published (the pages). Our tester reported this bug recently and discovered that the reason the Visitor couldn't see the sites bellow was because they had never had a publish/approved version. if that doesn't work, then make sure you check what elsni is suggesting.

Your second question: I think by adding 'everyone' as a reader to the root site, you are allowing everyone to read. I don't think there is a way to say, 'but don't allow users from x group'. You could however break the permissions inheritance and remove 'everyone' from the visitors group in the sites bellow the root. Of course then you have to manage permissions for all of these sites separately but that is the only way I know of achieve what you're trying to do.

Make sure you inherit permissions from the top site, there is an option which is selected by default when creating sub sites. I don't know exactly, but I guess you can set permission inheritance in the sub site's options afterwards.

In Sharepoint 2010 you can also deny permissions to certain groups.

Because I can't add a comment:
No, SharePoint 2010 has no functionality to deny anything. There is only "allow this or that".
So as the others described, you have to allow every group her rights if all but one is allowed. If you have opportunity to work with AD-Groups: you can have hundreds Ad groups inside one SharePoint group, but no SharePoint group inside another.
So my suggestion is to break inheritance, create a SharePoint group which is allowed and add all SharePoint user and all AD groups there.