adding an admin group to files and folders

Hi, the Windows file and folder permissions on our shared drives have not been applied consistently over the years and I now need to add  one of our admin groups to the permissions on every file and folder, the new admin group will have full control assigned to it.

The existing permissions structure is quite complex and I do not want to remove the existing permissions, all I want to do is add an admin group to the existing permissions.   I would like some advice on how best to do this.  I have tried doing it from the GUI in the past but this often falls over half way through leaving inconsistent permissions, so I think scripting this may be better.  There is a large amount of data go through (about 1.5TB).  Although these are Windows NTFS permissions the files and folders are on Netapp filer, not sure that makes a difference.
Who is Participating?
arnoldConnect With a Mentor Commented:
If you are knowledgeable/comfortable with powershell, use that.  The older tools have a larger scope of ready made examples that might need a few modifications.

I've some exposure to powershell seems like one has to use cmdlets in sequence.
I prefer to use scripting that is self contain where I have more control and has more function to deal with analysis of data and the application of new settings as in your case.
I.e, check the directory, is this group have access, if not add the group with the following rights.

You can use powershell to create the cataloging part I.e, navigate through the driectory structure mapping existing rights.
Are you planing to storing this data In a DB or as a csv/xml?
Presumably you may need the same to get share settings/permission.
One thing you have to be aware of if your shares are part of a DFS, permission change would trigger a DFS replication so you have to take that into account.
R. Toby RichardsNetwork AdministratorCommented:
Why not just put this group into Domain Administrators?
you can use cacls, icacls, xcacls depending on the one available to you and the granularity of the settings.

Using VBscript might be the best since you likely have to recurse through the directory structure adding the group to the top folder and then checking the ones below in the event some have not set the inherit from parent.  Those who have inherit from parent unchecked, you would add the again.

The other issue deals with whether you want to reapply the addition through the structure.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

R. Toby RichardsNetwork AdministratorCommented:
You can also go into Group Policy:

Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups

Group = Builtin\Administrators
Members = YourDomain\YourGroup
carbonbaseAuthor Commented:
@ Toby

The admin group is for help desk people, really don't want to give them domain admins.

@ Arnold

I would imagine there are a lot of inheritance breaks, I think it best to take a copy of the permissions before I start modifying them.

General question:

Does anyone have any experience of doing this in Powershell? or are the old tools still the best?
R. Toby RichardsNetwork AdministratorCommented:
Then apply my group policy suggestion to the OU(s) that contains all of the client workstations. Make sure servers and especially domain controllers are not included in that OU(s).
carbonbaseAuthor Commented:

I'm just trying to give an admin group permissions to all files and folders on my network drives, not to client computers


I think I'll use icacls to backup the existing permissions, although I will also investigate using SDDL with Powershell

this is quite a good article:

Powershell also does a pretty good job of listing out permissions in a more readable format which I can export to a CSV as an extra backup.  

Not using DFS for the shared folders
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.