Here's your big mistake: "Break Inheritance"
Don't do that - as a matter of fact, fix that. There are at least two
ways to fix that problem:
o- Yank the directories that have broken inheritance far enough
up the directory tree that the permissions can be assigned rationally
or,
o- Re-enable inheritance all the way down the tree, but use
settings like "This folder only", so that traversal works.
Which you choose depends on preference and circumstance - each has its
benefits and problems - but you'll have a much more maintainable set
of directories after you're done.
I do understand that doing the first one will cause consternation for
the folks who have gotten used to seeing things laid out a certain
way, but if you have problems with file/directory names that are too
long, or if there are other problems with things not being well
organized, then flattening the directory structure can be a boon in a
very short amount of time.
In the interim, using something like this in powershell (I haven't
tested this, so you'll have to) might work:
get-childitem \\server\share -directory -recurse | export-csv
-notype c:\temp\directories-to-be-modified.csv
Then edit that to add your ACLs to the CSV file, and import-csv to set-acl.
Kurt
On Tue, Jan 26, 2016 at 12:02 PM, Eugene Lipsky <[email protected]> wrote:
> I have a fileshare that I'd like to add a new security group to and give it
> full admin rights to all the subfolders/files without changing any of the
> existing permissions. So far I've been attempting to do this via the
> following icacls command:
>
> icacls "\\fileserver\ShareA\*" /grant DOMAIN\FullAdmins:(OI)(CI)(F) /T
>
> My issue is that a lot of the folders and subfolders (hundreds, multiple
> levels deep) have inheritance disabled and so permissions do not propagate
> down to those folders and their subfolders requiring running the same
> command on the level of those folders. I'm sure others have run into similar
> situation and I'm guessing may have developed scripts to parse all
> subfolders in a share with inheritance disabled to run a command against. If
> anyone has something handy or other suggestions besides having to re-design
> the fileshare I'd appreciate it.
>
>
> Thanks,
> Eugene
