When I am running this command on my file server (2008 R2): "icacls Y:\teststudent111 /Setowner domain\administrator /T /C /L" I am getting this error No mapping between account names and security IDs was done. Any idea? I am basically trying to work out how to give admins permissions to view home folders so the users have exclusive access. Thanks

Hi, Please try to use UNC path instead to see if it works, such as running "icacls \\Server\teststudent111 /Setowner domain\administrator /T /C /L" To run this command, you can use the Run as administrator command: Click the Start button . In the Search box, type command prompt. In the list of results, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or confirmation, type the password or provide confirmation. How To Open Elevated Command Prompt With Administrator Privileges In Windows 7 / Vista http://www.addictivetips.com/windows-tips/how-to-open-elevated-command-prompt-with-administrator-privileges-in-windows-vista/ BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I tried with the command however I get access is denied error even from elevated command prompt. This is how ACL is setup - on the parent folder - for students group - list folder/read data, read attrib, read ext attrib, create files/write data, create folder/append data, write attrib, write extended attrib - this folder only. Thanks

I wish I have a solution to this. I tried to create some scripts to take ownership then modify the permissions and revert back the owner ship which did not work properly. And this is a not a solution for future home folders.

I have come up with this script (On the file server with domain\administrator login ): @echo off set dirPath=G:\users\sales For /f "usebackq tokens=*" %%a in (`dir /b/a:d "G:\Users\Sales"`) do ( start /wait takeown /f %dirpath%\%%a /r /d y start /wait icacls %dirpath%\%%a /grant "domain\administrator:(OI)(CI)F" start /wait icacls %dirpath%\%%a /grant "domain\%%a:(OI)(CI)F" start /wait icacls %dirpath%\%%a\desktop.ini /deny "domain\administrator:R" ) desktop.ini file must have deny read for all other users except the original users - otherwise it comes up as my documents Downside with this way: 1. It does not give ownership back to the original users 2. It is a manul process - for any new account this scripts needs to be run so not very scalable So far this is the closest solution I am happy with. So this is the answer for me :) However if anyone can come up with a better solution - most welcome