It's easier to solve a certain class of user problems if you can get to their files. I've had various arguments with people about my take on granting BUILTIN\Administrators access over the years, and my take is this: Re: your comment about BUILTIN\Administrators access This is my SOP for user home directories, redirected "My Documents", "Desktop", etc folders, and for roaming user profile directories. I strongly suspect that the addition of the "Authenticated Users" permission I've described above w/ the inheritance set to "This folder only" will give you what you're looking for in functionality and will give you future flexibility if you find out that you have to set a permission that might need to inherit into all the user home directories in the future. ICACLS "E:\Home Directories\%userDir%" /grant:r "MYDOMAIN\%userDir%":(OI)(CI)F Then, your script becomes: set /p userDir=Enter the login of the user's directory you're modifying permissions for. That's about the easiest way, in terms of number of clicks, to set it.) I then proceed into the "Advanced" dialog and change the "Apply onto" setting for that ACE to "This folder only". (Typically I set that last permission by adding "Authenticated Users" in the non-"Advanced" Security properties sheet, unchecking the "Read" and "Read and Execute" check boxes. At each subfolder, inheritance remains enabled and you simply specify the user with "Modify" or "Full Control" rights (depending on how you feel about users being able to set permissions inside their home directory). The last permission doesn't inherit down into the subfolders. BUILTIN\Authenticated Users - Read and Execute - Applied to this folder only.
Iflicks permission full#
This is an apparent shortcoming in ICACLS. I need this last step to remove myself from ALL files and subfolders, but at the moment it just removes me from the %userDir% and leaves all the inherited permissions below. My script basically takes ownership of the entire user directory, resets the permissions on all files and folders for the directory, explicitly grants the permissions I need, stops all inheritance of permissions from parent folders, sets the rightful owner (specified user) for all files and folders, and then removes the permission I gave to myself so that I could operate on the files. I'm trying to reset permissions on user directories and having a bit of trouble with the last step of my script.