Server 2012 R2. Add permissions to all folders and subfolders when inheritence is disabled

file-permissionsfilesystemspermissionswindows-server-2012

I need to add full permissions for a specific group of users to all folders/files and subfolders on our file server without changing other permissions.

Few years ago someone removed "Administrators" group from our folder infrastructure on the file server and all the new folders have been created with "Domain Admins" rights.
Now I have created a dedicated Active directory group which is a member of local administrators on the file server but I cannot give this group access to all folders and subfolders because inheritance is disabled on many subfolders and files. I am aware that I can add this group manually for every folder where inheritance is disabled but we are talking here about few hundreds folders. So is it possible to give this new AD group full access to all folders on the file server?

Best Answer

You might use icacls.exe

For example:

icacls "<root folder>" /grant "Domain Admins":F /t

would add Full Access to the "Domain Admins" group to the "root folder" and every folder within.

If you add ":r" after Grant then the permissions would be replaced instead of being added.

 icacls "<root folder>" /grant:r "Domain Admins":F /t

The basic permissions are:

Full Control (F)
Modify (M)
Read & Execute (RX)
List Folder Contents (X,RD,RA,REA,RC)
Read (R)
Write (W)

Advanced permissions are:

Full Control (F)
Traverse folder / execute file (X)
List folder / read data (RD)
Read attributes (RA)
Read extended attributes (REA)
Create file / write data (WD)
Create folders / append data (AD)
Write attributes (WA)
Write extended attributes (WEA)
Delete subfolders and files (DC)
Delete (D)
Read permissions (RC)
Change permissions (WDAC)
Take ownership (WO)

You can also specify the inheritance for the folders:

This folder only
This folder, subfolders and files (OI)(CI)
This folder and subfolders (CI)
This folder and files (OI)
Subfolders and files only (OI)(CI)(NP)(IO)
Subfolders only (CI)(IO)
Files only (OI)(IO)

Related Solutions

Powershell – User permissions added with set-acl do not get inherited to files and subfolders

Needs more inheritance flags; the constructor you're using to create the ACE by only passing three arguments doesn't specify how the ACE should inherit.

Try this:

$Ar = New-Object system.Security.AccessControl.FileSystemAccessRule($user_account, "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")

Add permissions for a usergroup to all domainprofiles (roaming profiles) on server 2008 R2

First of all, please make sure the policy "Allow Administrator group to Roaming Profiles" is applied to client pc, run "gpupdate /force" or restart the clients pc.

This article explains how to set that policy (make sure it is set on your OU with your computers in.)

The way I would transfer your profiles to your new server is to : log onto a client pc so the current profile is loaded, then change the profile patch in Active Directory to the location on your new server. (while the user is logged on) now when the user logs off the profile should copy from the client to your new server.

This will only work if the computers and servers are on the same domain.

Best Answer

Related Solutions

Powershell – User permissions added with set-acl do not get inherited to files and subfolders

Add permissions for a usergroup to all domainprofiles (roaming profiles) on server 2008 R2

Related Topic