Sounds to me like you could benefit from WinFS – once (and if?) it is finished. In the mean time, pretty much all you are left with, since you want to use NTFS disk space directory structure, is using groups and group nesting to ease the administration burden.
I recommend you listen to MS best practices:
- define roles that your users should have when accessing data, one for each kind of access
- define resources (in your case directories) that must be accessed by each role
- create groups (usually global) for user roles, assign users to groups
- create groups (usually local) for role resources, assign rights to resources (directories)
- nest groups (usually make global group member of the local gorup) to give users appropriate permissions
This approach also facilitates better security, and it also scales well when being used accross complex AD trees and in environments with a great number of users or resources.
Kinds of groups that you will use (universal, global, domain local, machine local) depend on the functional level of your domain, as well as your needs. In any case, consult some AD literature for those details, just to be sure.
Hope this helps a little, but then again, maybe you knew this all along, sorry if I stated the obvious.