Folder AND File persmissions

I have a batch file that I run to set file and folder permissions, usually when a user leaves and new user takes their place and so have to change user based permissions of work files. It work as I want except for the files in the lowest level directory.
Icacls C:\Data\Users\UserName /inheritance:r /grant:r "Domain Admins":(OI)(CI)F /grant:r "Rob":(OI)(CI)F /grant:r "mmm":(OI)(CI)F /T /C
Icacls C:\Data\Users\Rob /inheritance:r makes sure permissions for C:\Data\Users does not apply to the UserName Directory--and I think this may be the cause of my problem but not sure how to fix it.
All files and folders get the permissions I want them to have but files in Icacls C:\Data\Users\UserName\My Documents\FolderName have no permissions set but files in C:\Data\Users\UserName\My Documents\ have the proper permissions. So it seems that files in the lowest level folder has all its permissions removed.

If someone knows of a better way to do this with say powershell I am all for a solution like that too. Thanks.
Lionel MM
Take a look at this:
powershell acl

I'm not certain that PowerShell is going to actually resolve this issue, but it could allow you an alternative mode of performing the same action.

I suspect this problem has something to do with the fact that in Vista and greater operating systems, the 'directory' called "My Documents" isn't actually a directory, but is a junction to the directory called "Documents", within the User's home location.

If you go into c:\Data\Users\UserName and do a 'dir -a:l', where is the location for the "My Documents" junction?

Double-check the ACLs on that folder, then see if this solves your problem.
Lionel MM
I already know that but thanks--I put "My Documents" because that has become the norm for the past several years and is simply a habit. I should have been more technical correct but thanks anyways.
I think I know what your problem is.

Your icacls command is defining explicit permissions on all the child objects and I don't think this is your goal.

If I understand your environment, you have a folder called "C:\data\users\username".

This home folder is assigned to a user called 'oldEmployee', who has Full Access to the folder and all of the contents and you want to give Full Access to the user called 'newEmployee'.

There are also two other permissions assigned, 'Domain Admins' and 'Rob'. I assume that these two will not be changing between employees.

So, the icacls command in order to remove the Full Access permission from 'oldEmployee' and grant them to 'newEmployee' will be as follows:

Remove Permission:
icacls c:\data\users\username /remove oldEmployee

Add Permission:
icacls c:\data\users\username /grant newEmployee:(OI)(CI)F

Now, given that your permissions may be sorta screwed at the moment, it maybe best to go through and get a good clean baseline permission set for all your home folders before taking this route.
Lionel MM
Sommerblink--no that is not what I am trying to do--the solution ComputerTechie gave me may work but the link he gave me is information is general in nature and does not address my actual problem so I must go through that and understand it and then try to apply it to situation and see if it works but it is not easy to grasp and implement.
In my last post, while performing the steps in your original post, I think I recreated your exact problem and then I solved the permission problem with the examples I gave.  Perhaps I didn't. Can you please provide the output of icacls for both a file and the folder containing that file you're having problems with? I want to see what the actual permissions look like. Please indicate the user account name that you are attempting to access the file with.

As far as Powershell verses icacls... they are equal in regards to NTFS permissions, because NTFS permissions are your problem, not the method by which you manipulate them.

Also, if you're looking for a simple solution to this, without having to dig through this permission problem manually, the program User Profile Manager or User Profile Wizard from ForensiT ( might be a great tool. You can try it out for free to see if it meets your needs before you buy it.
Lionel MM
Here are the results--on this folder domain users and domain admins need full access
icacls C:\Data\Users
C:\Data\Users abc\lmm:(OI)(CI)(F)
              abc\Domain Admins:(OI)(CI)(F)
              abc\Domain Users:(OI)(CI)(F)
On folders below it Domain admins must have full access but not domain users--only specified users
icacls C:\Data\Users\rob
C:\Data\Users\rob abc\lmm:(OI)(CI)(F)
                  abc\Domain Admins:(OI)(CI)(F)
                  abc\Domain Users:(OI)(CI)(F)

This folder is missing permissions for user Rob and should not have permissions for domain users--these either need to be removed or not inherited.
Lionel MM
Any further suggestions please?

Lionel MM
answered all the questions asked of me but no solution was provided.
