Adding a single permission to folder structure without changing existing permissions, inheritance, or ownership settings

After reading this article - http://www.experts-exchange.com/articles/17526/Windows-File-Server-Folder-ownership-problems-and-resolution.html -  I found this utility - https://helgeklein.com/setacl/ that has a ton of features such as allowing one to assign static permissions to an existing ACL without affecting existing folder permissions, inheritance or ownership settings as an alternative to taking ownership of a folder and breaking existing permissions.

For example, for a directory that I did not have access to even as a Domain Admin, the command:

setacl -on "D:\example" -ot file -actn ace -ace "n:Domain Admins;p:full"

added Full Control permissions for the Domain Admin group to the D:\example folder.

I have several deep folder structures that have horribly broken permissions (a scenario I have inherited) and I have to migrate these files and folders  with the EOL of Windows Server 2003.  I don't want to break any of the existing permissions as these are going to eventually be completely redone, but access is otherwise what it's supposed to be.  I obviously need permissions to the folders that I can't get to in order to perform the migration.  

With the idea of inheritance, I don't want to change that, or ownership, on any existing folders, but still need to somehow add and propagate the single permission of Full Control of Domain Admins to each folder within entire folder structure.  

Having come across this tool, I thought it might be possible to possibly script this to assign Full Control to Domain Admins to any folder without affecting the existing permissions, folder inheritance or ownership settings.  

I have seen references to other tools such as ICACLS, but don't know if that is appropriate for what I'm attempting to accomplish.  I would appreciate any insight on this matter as I don't have a lot of experience with tools like these.  I already have a Robocopy script put together to copy the files.  I'm just trying to get passed the dreaded 'Access Denied' problems that are inevitable.

Thank you in advance.
LVL 3
djhathAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Uptime Legal SystemsCommented:
icacls is built in to Windows and will do what you need.  

To add permission to a series of folders in a specific directory you can run:
icacls * /grant UserName:(F)

If you add the /T flag, it will propagate through to all the sub directories.

What you may want to do is this:

-Create a new user called CopyAdmin
-Browse to the root level where you want to apply the permissions in command prompt
-Now add CopyAdmin to the files
icacls * /grant CopyAdmin:(F) /t

Open in new window

-Perform the copy as CopyAdmin
-After the copy completes, you can then run icacls again to remove all instances of CopyAdmin on the files
djhathAuthor Commented:
Thank you, UptimeSystems. I will give that a shot tonight.
djhathAuthor Commented:
There are folders and files to which I am receiving 'Access is Denied' ... I presume it's a combination of the ownership not being right which is not allowing to edit permissions. I am running from an elevated command prompt.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Lionel MMSmall Business IT ConsultantCommented:
Since your main goal is to leave the current permissions and ownership in place you may want to first run
ICACLS D:\Example /save c:\Utils\Save.txt /T /C /L
This way if things go wrong you can use the /restore to get the settings back to what they were. Type icacls /? to see given examples at the end. You can also type
ICACLS D:\Example
to see what the current settings are and help you figure out why you are getting the access denied errors. But my guess is that your assessment is right that there are existing permissions you will have to overwrite to get the full control that you want. I suggest you take ownership first and then see if that will allow you to add F
ICACLS d:\example /setowner "Domain admins" /T

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Uptime Legal SystemsCommented:
Yes- you're going to have to pull the trigger and take ownership of those files, but if you do so as Domain Admins it shouldn't cause any problems on typical flat-files.

I agree, you can do an icacls /save, but it would revert the files in place rather than the ones copied.  But that would allow you to turn back ownership after you copy over the files using /restore.
djhathAuthor Commented:
Thank you for the continued input. A clarification I would like - I know from experience that manually taking ownership while  browsing the folder security properties will reset the NTFS permissions, however I thought I read that if you use a tool like icacls with the take ownership switch at the command line, it won't change the existing permissions. Is this the case? If so, would it be feasible to run icacls with the take ownership switch, then re-run to add Full Access permissions?
Lionel MMSmall Business IT ConsultantCommented:
Taking ownership will change permissions if the user who is taking ownership does not have any assigned permissions or if the assigned permission are not enough to be the owner. It will not affect other users or groups (it can but a more complicated explanation that  seems irrelevant to your current situation would be required). And in answer to other question Yes you can use the take ownership and the assign FC permission in two different icacls commands. In most case that is what I do so as to see the results of each action seprately.
djhathAuthor Commented:
It's not entirely irrelevant as I want to preserve permissions so as to affect availability for those who already have access.   I was starting to consider icacls for migrating roaming profiles that are also stored on this server, but I think that's a different question with a different process.
Lionel MMSmall Business IT ConsultantCommented:
I have already given you a way to save existing permissions just in case things go wrong and the icacls commands I gave you did not include the /replace command; instead it will "add to" existing permissions. But as stated permissions can change when you take ownership. And since you plan to eventually redo this all you might as well start building an ongoing script to include all the users and groups you want to assign permissions to.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.