################################### Access backup and restore ######################## icacls c:\share\* /save AclFile /T - Will save the ACLs for all files under c:\share and its subdirectories to AclFile. icacls c:\share\ /restore AclFile - Will restore the Acls for every file within AclFile that exists in c:\share and its subdirectories. ################## Reset to Default all subfolders, even without inheritance ######### icacls "C:\Share" /reset /T ######################### Permissions for folders: ################################### # Set the root folder path where you need the permissions to be applied for group $rootFolder = "C:\share\folder1\folder2" # Folders in share before the folder you need access, so we can traverse them. $folderPath1 = "C:\share" $folderPath2 = "C:\share\folder1" # Define domain groups "domain\group" $modifyGroup = "Haku.local\C_Folder1_Folder2" # If you do not need Read only access ignore the readonly commands $readOnlyGroup = "Haku.local\C_Folder1_Folder2_RO" ###################### Applying the permissions ####################################### # Set Modify (Write) permissions for the Modify group on folder2 icacls $rootFolder /grant "${modifyGroup}:(OI)(CI)M" /T /C # Set Read-only permissions for the Read-only group on folder2 icacls $rootFolder /grant "${readOnlyGroup}:(OI)(CI)RX" /T /C # M: Modify (Write) permission # R: Read permission # RX: Read and execute ( needed for traversing folders if applied only to folder) # (OI)(CI): Object Inherit and Container Inherit, respectively # /T: Apply to all files and subdirectories # /C: Continue on errors # Use icacls to grant traverse permission to the specified domain group # This applies the access only to the folder itself icacls $folderPath2 /grant "${modifyGroup}:(RX)" icacls $folderPath2 /grant "${readOnlyGroup}:(RX)" # Repeat this for any folder closer to root drive so users can access the final folder icacls $folderPath1 /grant "${modifyGroup}:(RX)" icacls $folderPath1 /grant "${readOnlyGroup}:(RX)" # Enable Access-Based Enumeration on the share, users will not see folders what they do not have access to Set-SmbShare -Name ShareName -FolderEnumerationMode AccessBased -Force