Thanks again, this maybe the way to go for me. I ran an export that generated a list of 8500+ folders with a few errors that I'll have to look into first before I start testing against a smaller share.
On Tue, Jan 26, 2016 at 5:38 PM, Kurt Buff <[email protected]> wrote: > Actually, I'd like to refine the interim advice... > > Try something like this: > > get-childitem -directory -recurse | get-acl | export-csv -notype > c:\temp\directorySecurity.csv > > That will give you the ACLs, and you can modify them as needed, then > do something like: > > import-csv c:\temp\directorySecurity.csv | set-acl > > Again - I haven't tested it, so it's almost certainly not the best or > correct syntax, but that's the general idea. > > Kurt > > On Tue, Jan 26, 2016 at 1:50 PM, Eugene Lipsky <[email protected]> wrote: > > Thanks Kurt. > > > > Fixing the bigger problem is not currently in scope but delegating admin > > access to the share is. > > > > Eugene > > > > On Tue, Jan 26, 2016 at 3:34 PM, Kurt Buff <[email protected]> wrote: > >> > >> Here's your big mistake: "Break Inheritance" > >> > >> Don't do that - as a matter of fact, fix that. There are at least two > >> ways to fix that problem: > >> o- Yank the directories that have broken inheritance far enough > >> up the directory tree that the permissions can be assigned rationally > >> or, > >> o- Re-enable inheritance all the way down the tree, but use > >> settings like "This folder only", so that traversal works. > >> > >> Which you choose depends on preference and circumstance - each has its > >> benefits and problems - but you'll have a much more maintainable set > >> of directories after you're done. > >> > >> I do understand that doing the first one will cause consternation for > >> the folks who have gotten used to seeing things laid out a certain > >> way, but if you have problems with file/directory names that are too > >> long, or if there are other problems with things not being well > >> organized, then flattening the directory structure can be a boon in a > >> very short amount of time. > >> > >> In the interim, using something like this in powershell (I haven't > >> tested this, so you'll have to) might work: > >> get-childitem \\server\share -directory -recurse | export-csv > >> -notype c:\temp\directories-to-be-modified.csv > >> > >> Then edit that to add your ACLs to the CSV file, and import-csv to > >> set-acl. > >> > >> Kurt > >> > >> On Tue, Jan 26, 2016 at 12:02 PM, Eugene Lipsky <[email protected]> > wrote: > >> > I have a fileshare that I'd like to add a new security group to and > give > >> > it > >> > full admin rights to all the subfolders/files without changing any of > >> > the > >> > existing permissions. So far I've been attempting to do this via the > >> > following icacls command: > >> > > >> > icacls "\\fileserver\ShareA\*" /grant DOMAIN\FullAdmins:(OI)(CI)(F) /T > >> > > >> > My issue is that a lot of the folders and subfolders (hundreds, > multiple > >> > levels deep) have inheritance disabled and so permissions do not > >> > propagate > >> > down to those folders and their subfolders requiring running the same > >> > command on the level of those folders. I'm sure others have run into > >> > similar > >> > situation and I'm guessing may have developed scripts to parse all > >> > subfolders in a share with inheritance disabled to run a command > >> > against. If > >> > anyone has something handy or other suggestions besides having to > >> > re-design > >> > the fileshare I'd appreciate it. > >> > > >> > > >> > Thanks, > >> > Eugene > >> > >> > > > > >
