One of our Windows servers that has some user folders on it has some pretty screwed up permissions. What I want it for SYSTEM and Domain Admins to have full control of all folders. I want the users to have read only on the top-level folder (which is their home folder) and modify on all subfolders and files. This can easily be accomplished through the GUI, but I can't figure out how to script it.
I'm calling icacls from my PowerShell script, because get-acl and set-acl are a major PITA. If I have to use them, I'm not opposed to it, but I imagine that calling icacls will be easier. This is the relevant code that I have to far:
icacls.exe $folder /grant '$domain\$user:(OI)(CI)(M)'
icacls.exe $folder /grant 'SYSTEM:(OI)(CI)(F)'
icacls.exe $folder /grant '$domain\domain admins:(OI)(CI)(F)'
As you can see, I'm giving modify to the user for everthing with icacls.exe $folder /grant '$domain\$user:(OI)(CI)(M)'. I can't figure out how to make that Modify apply only to subfolders and files while granting read-only to the top level folder.
The desired permission structure would look like this (just for clarity):
-Users
--M
---Marra (read only to me)
----Documents (Modify)
----Scripts(Modify)
----Etc (Modify)
What is the right icacls syntax for this, or how can I do it natively in PS with set-acl?
Best Answer
Change the first line of your script to the following to have it apply only to subfolders and files.
Then apply this to the top folder.