I have a situation where access to several large folder structures is limited to Domain Admins, and the inheritance is broken on several of the subfolders and replaced with access to specific users and groups. By large i mean several hundred thousand files, and several thousand folders.
I have been given the task of trying to reduce the members of the Domain Admins group to a minimum, and I can not remove the support personell from the Domain Admins group until i have found a solution for the file permissions. The customer wants to keep any custom permissions on subfolders and files, so i can not replace the folder permissions recursively.
The only thing i have been able to come up with, is to run a script that explicitly adds the local administrators group to the acl of every file and folder without any inheritance flags. I think i have a working script, but im guessing this isnt exactly"best practices" so I am open to any suggestions or if you can think of any complications that i might not have thougth about from setting the permissions this way. (for example i expect it will trigger a full backup)
I have recommended the customer rebuild the file share with some sort of RBAC, and not allow breaking inheritance, but we need to take some immediate action towards the amount of members in Domain Admins.
Thanks in advance for any input on this problem!