On my network share, how can I prevent users from creating folders that exclude Administrator permissions?

I am using Robocopy to backup our network share's files and folders.  The files and folders all have a complex and carefully laid out set of ACLs/permissions that I need to preserve.

However, Robocopy came across whole directories of files that it couldn't copy, because of "Error 5: Access is denied."  When I examined them closer, I found that they were files contained in folders that users had created themselves, and therefore did not have any domain administrator permissions or ownership.

Is there any way that I can allow users to create folders with fine tuned permissions, but still enforce/propagate Administrator ownership or privileges for all files and folders on the network share?
LVL 5
KTN-ITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RobinHumanCommented:
Have you checked that the administrator permissions on the primary folder include inheritance to all subfolders? (it is a tick box which allows the permissions to be propogated to all sub-folders)
0
KTN-ITAuthor Commented:
Is this what you mean?  (See picture)

The problem is, at many points down in the folder hierarchy, permission inheritance has been discontinued, and different permissions propagate from that point.

This is fine, but I wonder if there's some way (like with a powershell script or something) that I could recurse through all the files and folders and just add the administrator in (at least with read access so I can backup with Robocopy), without altering any of the other custom permissions that are established.
Clipboard01.gif
0
Henrik JohanssonSystems engineerCommented:
Try the following command
C:\>cacls C:\PathToFolder /C /E /T /G administrators:F
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KTN-ITAuthor Commented:
That's what I was looking for.

The Powershell command is Set-Acl, but it doesn't seem quite as simple and straightforward as cacls, because it doesn't have any switch to automatically process all subfolders and files.

Good resource:
http://www.ss64.com/nt/cacls.html
0
KTN-ITAuthor Commented:
Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Project Management

From novice to tech pro — start learning today.