I've been working with XCACLS.EXE (not exactly the most thoroughly documented tool by Microsoft) because I'm dealing with hundreds of users over time, each with their own space... thus looking for a batch job solution. Anyway, I think I figured out what I did wrong. With XCACLS, it's possible to give a user or group FULL access to folders and subfolders, but not include an ACE for files created in any of the subfolders. Or, as the documentation says regarding that devious "T" modifier which I was erroneously using: "Sets an ACE for the directory itself without specifying an ACE that is applied to new files created in that directory." That's what I accidently did with the Administrators group. So when the owner of one of those folders created a file in it, the Admin had zero access to the file itself, even though the Admin could walk up and down the hierarchy and see every file (but couldn't touch any). The only way to fix that situation, it appears, is to have the Admin take ownership of the files. The security dialogs are a bit misleading because at the top-level security panel, what you see makes it look like files in the folder should be inheriting the permissions granted to the folder (that little inherit checkbox is checked).


>Hi,
>
>On my system the system administrator, rename root, is a member of the follow groups:
>
> Domain Admins
> Administrator
> Domain User
>
>All other normal user are members of Domain User group only.
>
>With the explorer I would right click on top level shared T select properties and then security and then Permissions. I would grant the system admins and domain users full control of T plus all sub-directories. I would have the system administrator take ownership of all files on T. I don't understand why the system administrator would not have access of anything since he/she is at the top of the security chain. Even if the system admin defined a directory or file as no access, he would not be locked out because he could alway change the permission back to whatever.