Thanks Kurt. Fixing the bigger problem is not currently in scope but delegating admin access to the share is.
Eugene On Tue, Jan 26, 2016 at 3:34 PM, Kurt Buff <[email protected]> wrote: > Here's your big mistake: "Break Inheritance" > > Don't do that - as a matter of fact, fix that. There are at least two > ways to fix that problem: > o- Yank the directories that have broken inheritance far enough > up the directory tree that the permissions can be assigned rationally > or, > o- Re-enable inheritance all the way down the tree, but use > settings like "This folder only", so that traversal works. > > Which you choose depends on preference and circumstance - each has its > benefits and problems - but you'll have a much more maintainable set > of directories after you're done. > > I do understand that doing the first one will cause consternation for > the folks who have gotten used to seeing things laid out a certain > way, but if you have problems with file/directory names that are too > long, or if there are other problems with things not being well > organized, then flattening the directory structure can be a boon in a > very short amount of time. > > In the interim, using something like this in powershell (I haven't > tested this, so you'll have to) might work: > get-childitem \\server\share -directory -recurse | export-csv > -notype c:\temp\directories-to-be-modified.csv > > Then edit that to add your ACLs to the CSV file, and import-csv to set-acl. > > Kurt > > On Tue, Jan 26, 2016 at 12:02 PM, Eugene Lipsky <[email protected]> wrote: > > I have a fileshare that I'd like to add a new security group to and give > it > > full admin rights to all the subfolders/files without changing any of the > > existing permissions. So far I've been attempting to do this via the > > following icacls command: > > > > icacls "\\fileserver\ShareA\*" /grant DOMAIN\FullAdmins:(OI)(CI)(F) /T > > > > My issue is that a lot of the folders and subfolders (hundreds, multiple > > levels deep) have inheritance disabled and so permissions do not > propagate > > down to those folders and their subfolders requiring running the same > > command on the level of those folders. I'm sure others have run into > similar > > situation and I'm guessing may have developed scripts to parse all > > subfolders in a share with inheritance disabled to run a command > against. If > > anyone has something handy or other suggestions besides having to > re-design > > the fileshare I'd appreciate it. > > > > > > Thanks, > > Eugene > > >
