Actually, I'd like to refine the interim advice... Try something like this:
get-childitem -directory -recurse | get-acl | export-csv -notype c:\temp\directorySecurity.csv That will give you the ACLs, and you can modify them as needed, then do something like: import-csv c:\temp\directorySecurity.csv | set-acl Again - I haven't tested it, so it's almost certainly not the best or correct syntax, but that's the general idea. Kurt On Tue, Jan 26, 2016 at 1:50 PM, Eugene Lipsky <[email protected]> wrote: > Thanks Kurt. > > Fixing the bigger problem is not currently in scope but delegating admin > access to the share is. > > Eugene > > On Tue, Jan 26, 2016 at 3:34 PM, Kurt Buff <[email protected]> wrote: >> >> Here's your big mistake: "Break Inheritance" >> >> Don't do that - as a matter of fact, fix that. There are at least two >> ways to fix that problem: >> o- Yank the directories that have broken inheritance far enough >> up the directory tree that the permissions can be assigned rationally >> or, >> o- Re-enable inheritance all the way down the tree, but use >> settings like "This folder only", so that traversal works. >> >> Which you choose depends on preference and circumstance - each has its >> benefits and problems - but you'll have a much more maintainable set >> of directories after you're done. >> >> I do understand that doing the first one will cause consternation for >> the folks who have gotten used to seeing things laid out a certain >> way, but if you have problems with file/directory names that are too >> long, or if there are other problems with things not being well >> organized, then flattening the directory structure can be a boon in a >> very short amount of time. >> >> In the interim, using something like this in powershell (I haven't >> tested this, so you'll have to) might work: >> get-childitem \\server\share -directory -recurse | export-csv >> -notype c:\temp\directories-to-be-modified.csv >> >> Then edit that to add your ACLs to the CSV file, and import-csv to >> set-acl. >> >> Kurt >> >> On Tue, Jan 26, 2016 at 12:02 PM, Eugene Lipsky <[email protected]> wrote: >> > I have a fileshare that I'd like to add a new security group to and give >> > it >> > full admin rights to all the subfolders/files without changing any of >> > the >> > existing permissions. So far I've been attempting to do this via the >> > following icacls command: >> > >> > icacls "\\fileserver\ShareA\*" /grant DOMAIN\FullAdmins:(OI)(CI)(F) /T >> > >> > My issue is that a lot of the folders and subfolders (hundreds, multiple >> > levels deep) have inheritance disabled and so permissions do not >> > propagate >> > down to those folders and their subfolders requiring running the same >> > command on the level of those folders. I'm sure others have run into >> > similar >> > situation and I'm guessing may have developed scripts to parse all >> > subfolders in a share with inheritance disabled to run a command >> > against. If >> > anyone has something handy or other suggestions besides having to >> > re-design >> > the fileshare I'd appreciate it. >> > >> > >> > Thanks, >> > Eugene >> >> >
