Folder AND File persmissions

I have a batch file that I run to set file and folder permissions, usually when a user leaves and new user takes their place and so have to change user based permissions of work files. It work as I want except for the files in the lowest level directory.
Icacls C:\Data\Users\UserName /inheritance:r /grant:r "Domain Admins":(OI)(CI)F /grant:r "Rob":(OI)(CI)F /grant:r "mmm":(OI)(CI)F /T /C
Icacls C:\Data\Users\Rob /inheritance:r makes sure permissions for C:\Data\Users does not apply to the UserName Directory--and I think this may be the cause of my problem but not sure how to fix it.
All files and folders get the permissions I want them to have but files in Icacls C:\Data\Users\UserName\My Documents\FolderName have no permissions set but files in C:\Data\Users\UserName\My Documents\ have the proper permissions. So it seems that files in the lowest level folder has all its permissions removed.

If someone knows of a better way to do this with say powershell I am all for a solution like that too. Thanks.
LVL 26
Lionel MMSmall Business IT ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Take a look at this:
powershell acl

I'm not certain that PowerShell is going to actually resolve this issue, but it could allow you an alternative mode of performing the same action.

I suspect this problem has something to do with the fact that in Vista and greater operating systems, the 'directory' called "My Documents" isn't actually a directory, but is a junction to the directory called "Documents", within the User's home location.

If you go into c:\Data\Users\UserName and do a 'dir -a:l', where is the location for the "My Documents" junction?

Double-check the ACLs on that folder, then see if this solves your problem.
Lionel MMSmall Business IT ConsultantAuthor Commented:
I already know that but thanks--I put "My Documents" because that has become the norm for the past several years and is simply a habit. I should have been more technical correct but thanks anyways.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

I think I know what your problem is.

Your icacls command is defining explicit permissions on all the child objects and I don't think this is your goal.

If I understand your environment, you have a folder called "C:\data\users\username".

This home folder is assigned to a user called 'oldEmployee', who has Full Access to the folder and all of the contents and you want to give Full Access to the user called 'newEmployee'.

There are also two other permissions assigned, 'Domain Admins' and 'Rob'. I assume that these two will not be changing between employees.

So, the icacls command in order to remove the Full Access permission from 'oldEmployee' and grant them to 'newEmployee' will be as follows:

Remove Permission:
icacls c:\data\users\username /remove oldEmployee

Add Permission:
icacls c:\data\users\username /grant newEmployee:(OI)(CI)F

Now, given that your permissions may be sorta screwed at the moment, it maybe best to go through and get a good clean baseline permission set for all your home folders before taking this route.
Lionel MMSmall Business IT ConsultantAuthor Commented:
Sommerblink--no that is not what I am trying to do--the solution ComputerTechie gave me may work but the link he gave me is information is general in nature and does not address my actual problem so I must go through that and understand it and then try to apply it to situation and see if it works but it is not easy to grasp and implement.
In my last post, while performing the steps in your original post, I think I recreated your exact problem and then I solved the permission problem with the examples I gave.  Perhaps I didn't. Can you please provide the output of icacls for both a file and the folder containing that file you're having problems with? I want to see what the actual permissions look like. Please indicate the user account name that you are attempting to access the file with.

As far as Powershell verses icacls... they are equal in regards to NTFS permissions, because NTFS permissions are your problem, not the method by which you manipulate them.

Also, if you're looking for a simple solution to this, without having to dig through this permission problem manually, the program User Profile Manager or User Profile Wizard from ForensiT ( might be a great tool. You can try it out for free to see if it meets your needs before you buy it.
Lionel MMSmall Business IT ConsultantAuthor Commented:
Here are the results--on this folder domain users and domain admins need full access
icacls C:\Data\Users
C:\Data\Users abc\lmm:(OI)(CI)(F)
              abc\Domain Admins:(OI)(CI)(F)
              abc\Domain Users:(OI)(CI)(F)
On folders below it Domain admins must have full access but not domain users--only specified users
icacls C:\Data\Users\rob
C:\Data\Users\rob abc\lmm:(OI)(CI)(F)
                  abc\Domain Admins:(OI)(CI)(F)
                  abc\Domain Users:(OI)(CI)(F)

This folder is missing permissions for user Rob and should not have permissions for domain users--these either need to be removed or not inherited.
Lionel MMSmall Business IT ConsultantAuthor Commented:
Any further suggestions please?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lionel MMSmall Business IT ConsultantAuthor Commented:
answered all the questions asked of me but no solution was provided.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Batch

From novice to tech pro — start learning today.