It could be scripted I guess. I can see possible issues due to timing on a recursive loop through the sub directories Had a word with someone I work with and the pointed me in the direction of SetACL could possibly achieve what you are looking for

The problem I have found with the Icacls command {icacls \\server\share /grant administrators:(oi)(ci)(f) /t} is that if I don't already have full control of the share I get access denied. Thanks, Dan

Its not a problem with ICacls, if you dont have permission to grant some one access, you wont be able to do it using any tool. If you are administrator, you might try taking ownership of the objects using Takeown.exe and then try Icacls.-CrDev Blogs: http://blogs.msdn.com/b/satyem

I think I had something like this happen awhile ago. If I remember correctly i used the AT command coupled with Icalcs in order to spawn the job as local system and readd the security. that was on 2003 server. I think you can do the same thing on 2008 using a scheduled task

Its not a problem with ICacls, if you dont have permission to grant some one access, you wont be able to do it using any tool. If you are administrator, you might try taking ownership of the objects using Takeown.exe and then try Icacls. -CrDev Blogs: http://blogs.msdn.com/b/satyem Is there a way to make takeown not erase the current acls? Also I am an administrator on the server.

Wouldn't the System account need to be on the folders/files with full control? I should aslo add from the GUI I can go folder by folder and file by file doing exactly what I am describing. Take ownership then go back into the securities and add the administrators group back in there without disturbing current acls on the object. So I know there has to be some way to automate this through some type of command(s), scripting, program, or something. Thank you, Dan

I have just created a folder on a machine, removed all permissions from it. Then logged onto the local machine used icalcs and added permissions to it. Try logging on to the server locally, instead of tagetting a network share to see if you have diffrent results.

I have an issue where the local administrators and system account has been removed from the ACLS on a folder structure. This folder structure has inheritance is broken with separate ACLS set on those folders. Also to complicate maters the local administrators are not set as the owner of the folders or files. I need a way to add the local server administrators group to all files and folders in the directory structure without destroying the current ACLS in place. We have estimated that there are over 5 million objects in the directory structure. I took a copy of the folder into a test environment and it took 2 weeks to take ownership and replace the acls on all child objects. Any help, suggestions, or advise would be very much appreciated, Dan

From the local machine I created a test folder and made the domain users the owner. Added domain users and a few other accounts to the securities, removed administrators and system form the securities. Then I did the following command. C:\Documents and Settings\Administrator\My Documents>icacls test /grant administrators:(ci)(oi)(f) test: Access is denied. Successfully processed 0 files; Failed processing 1 files If I use the takeown it will clear the current acls and replace them with just administrators with full control. However like I said before i can use the GUI go in and take ownership of just that object. If I do that the acls stay as they are and I can just add administrators at that point.

It could be scripted I guess. I can see possible issues due to timing on a recursive loop through the sub directories Had a word with someone I work with and the pointed me in the direction of SetACL could possibly achieve what you are looking for

Is takeown.exe removing the already set ACLs on the object? I just tried on the one test folder(takeown.exe /R /F TestFolder) and it just changed the Owner but did not remove the existing ACLs. Can you try this on some test folder? -CrDev Blogs: http://blogs.msdn.com/b/satyem Yea. It actually says in it's warning message "replace current permissions with one that gives you access". I have looked over the SetAcls program. This looks like it will do exactly what we want. We are going to run some testing in the sandbox environment tonight. Thank you everyone for your very fast and very helpful replies.

Also keep in mind when I am running the takeown.exe command I am an administrator on the local server. However the users have taken ownership and have removed system and administrators from the security tab. So essentially I have no access to the folder what so ever.

:) glad thats helped

You can use Icacls.exe to add to the user permissions as mentioned in this thread http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/dbf98ace-a53c-47d8-8633-2760fae1f241. To recursively grant the permission to all sub folders and files under the tree you can use '/t' switch with icacls.exe command. hope this helps.-CrDev Blogs: http://blogs.msdn.com/b/satyem

Is takeown.exe removing the already set ACLs on the object? I just tried on the one test folder(takeown.exe /R /F TestFolder) and it just changed the Owner but did not remove the existing ACLs. Can you try this on some test folder? -CrDev Blogs: http://blogs.msdn.com/b/satyem