Help th Bulk Folder Permission Change:

We have a "master project folder" of sorts on our network.
In that project folder are sub-folders numbered 1-9.  
The folders numbered 1-9 have different permissions based on the number.  
For example folder 1 may allow the accounting dept modify rights while folder 2 may allow the purchasing dept modify rights.
When we open a certain internal webpage, we can create a new project folder by entering a name for the new project.
A script then copies the "master project folder" and all sub-folders to the network location it's supposed to and gives it the name we typed in earlier.
The permissions have already been assigned to the "master project folder" and all sub-folders so the permissions are copied as well.
The issue we are having here is that users are accidentally dragging/dropping entire project folders into other project folders by mistake.
I'd like to prevent this by removing modify rights at the root level.
While I can easily make changes to the "master folder" so all future projects have the permissions I want, there are many folders that are already on the network.
Any idea how I can modify the permissions of each project folder already on the network without removing the inherited permissions that are being applied to the sub-folders?

So to give you a hypothetical, here is the current permissions set for a project:
Project ABC (accounting, purchasing and drafting have modify rights - all others have read only)
Folder 1 (accounting, purchasing and drafting - modify rights)
Folder 2 (accounting - modify rights - all other groups - read only)
Folder 3 (purchasing - modify rights - all other groups - read only)

This is what I'd like to be:
Project ABC (read only for everyone)
Folder 1 (accounting, purchasing and drafting - modify rights)
Folder 2 (accounting - modify rights - all other groups - read only)
Folder 3 (purchasing - modify rights - all other groups - read only)

I've used Subinacl in the past but I don't know if there is a way to accomplish what I want.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lionel MMSmall Business IT ConsultantCommented:
Yes you can do this--you can remove inherited permissions from just one folder and change permissions on just one folder. You can add this to your script. These may be helpful
You can run ICACLS F:\Folder to see what the current permissions are
Then run ICACLS T:\Folder /INHERITANCE:R to remove the inheritance on that folder only
You can then add permissions for that folder as you desire for example
ICACLS T:\Folder /GRANT Administrators:(CI)(OI)F (full rights to administrator)
inheritance rights may precede either form and are applied only to directories:
        (OI) - object inherit
        (CI) - container inherit
        (IO) - inherit only
        (NP) - don't propagate inherit
        (I) - permission inherited from parent container
Example ICACLS T:\Folder /GRANT User1: (NP)M (this will give user1 modify rights but will not affect inheritance (the (NP))
And these are the rights you can assign
N - no access
 F - full access
 M - modify access
 RX - read and execute access
 R - read-only access
 W - write-only access
 D - delete access

You can always re-run ICACLS T:\Folder to see how permissions and inheritance is being affected.
homerslmpsonAuthor Commented:
This looks like it will work but is a bit confusing.
How about I give you a more realistic example and you tell me how this would be accomplished using iCACLS?

P:\Projects\Job Number 1 (root)
P:\Projects\Job Number 1\Sales\...
P:\Projects\Job Number 1\Purchasing\...

P:\Projects\Job Number 2 (root)
P:\Projects\Job Number 2\Sales\...
P:\Projects\Job Number 2\Purchasing\...

In the example above, the Job Number root folders (P:\Projects\Job Number 1 and P:\Projects\Job Number 2) have a set of base permissions.  These base permissions are applied to all sub-folders and files so that the sub-folders and files have a foundation of sorts.  
The Sales folders then gets additional permissions as does the Purchasing folder.

If I want to change the Job Number 1 and Job Number 2 permissions without affecting the permissions on the folders/files below, how would I do that?  

Lets just say for the sake of simplicity I wanted to alter the "Job Number" root folders to give DomainABC\Administrator full access and DomainABC\UserA modify rights. Everyone else would have read access.

I'd like the Sales folder and Purchasing folder permissions to remain unchanged.  

The only permissions being changed would be the root Project folders.

Any insight would be appreciated.
Lionel MMSmall Business IT ConsultantCommented:
So you want everything to stay the same except you want to change P:\Projects to restrict access to the folder and prevent users from adding or creating folders in P:\Projects?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

homerslmpsonAuthor Commented:
Yes. That is what I'd like to do.

I simply need to ask the programmer to let me know what user account the webpage script runs as when the project folders are created so that the script continues to work.
homerslmpsonAuthor Commented:
Any update on this?
Sorry to be such a pain but it seemed like you actually had a solution for me.
Lionel MMSmall Business IT ConsultantCommented:
Yes, so sorry--work just got really busy and just can't seem to get caught up. Will try to get something to you soon.
Lionel MMSmall Business IT ConsultantCommented:
ICACLS P:\Projects /GRANT User1:R
This will give the user User1 READ access rights to the folder P:\projects and will not affect folders below it. If you have a group that all the users belong to you can replace user1 with a user group name. They will be able to see this folder but not add, delete, or change anything in it. Keep in mind this will not change existing permissions on folder P:\Projects but will add this permission to it.
homerslmpsonAuthor Commented:
I appreciate you taking the time to get back to me.

This is what I'd like to do but am unsure if this is possible:

- Remove ALL permissions to each project folder in the P drive
- Grant the "Authenticated Users" group read-only access to each project folder
- Grant the "Administrators" group full-control
(without having these changes apply to the sub-folders of each project)

I found out that the folder CREATION script is ran under the Administrator user account so if we REMOVE all current permissions, GRANT the "Administrators" group full control and everyone else read-only rights, everything should work out properly.
Lionel MMSmall Business IT ConsultantCommented:
OK I will work on this for you but I must warn you that you must be very careful when applying this. You say you want to remove all permissions from P:\Projects\Job Number 1; to do this you must remove inheritance (permissions from directory above, namely P:\projects) and remove any other folder specific permissions. That will leave the folder P:\Projects\Job Number 1 temporarily inaccessible and so what you add next will be critical so test it first before doing it live.
To remove use icacls "P:\Projects\Job Number 1" /remove:g user1 group1 user2 /inheritance:r
You will need to know what the specific permissions are for P:\Projects\Job Number 1 if it has permissions that are more than that which is inherited -- if only inherited permissions then all you will need is icacls "P:\Projects\Job Number 1" /inheritance:r
Now you need to add permissions that will only affect folder "P:\Projects\Job Number 1" .
icacls "P:\Projects\Job Number 1" /grant Administrators:(NP)F /grant "Authenticated Users:"(NP)R
where the (NP) is telling it to apply only to this folder and not the ones below it

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
homerslmpsonAuthor Commented:
Thanks for your help.
Lionel MMSmall Business IT ConsultantCommented:
You're welcome I hope you got it to work as you wanted.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.