Recursively adding NTFS permissions
Posted on 2010-11-18
Is anyone aware of scripts or applications that will manipulate file and folder permissions easily?
I am currently working for an organization which has historically not had a very good grasp of security. I am trying to get this changed and introduce a number of best practices that have been ignored to date, one of which is the concept that administrators should not be logging on for general use with a domain admin account. I have got all their admins logging on with user accounts and using an elevated rights account to use their applications and consoles under a different context.
The one sticking point in doing this is that they are still expected to help manage the file shares across the network. However, there is only the domain admins group added in with full rights to all our folders. Ultimately I want to add a "file admin" group in so I can manage who has this responsibility but the problem is the folder structure has been built up over the past 15 years and is horrendously complex. Inheritance has been removed from many folders to protect sensitive data so I cannot just add the new group at the top level.
What I guess I am looking for is some way of recursively checking each folder and subfolder to make sure the group does not already exist (for those folders that DO still have inheritance turned on) and adding it with specific permissions for those that don't. I really don't want to even contemplate attempting this manually.