This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 18%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
We have a series of departmental folders. Each department has an AD group with department members within to control access. Finance folder only has Finance people, HR folder only has HR people, etc. The root folder for each department is owned by Domain Admins. When we set these folders up, we set Domain Admins to be the owners of all sub-folders and files. Access to the folder is granted by the AD department group, so if we need to add or remove someone it is trivial to amend the group through AD.
So it begins as:
Owner: Domain Admins, Modify Permissions: Department-AD-Group
The "Replace all child object permissions with inheritable permission entries for this object" box is checked and all permissions are identical in all folders and files.
This works fine and all members of the group have access to the entire Department folder. When users begin creating sub-folders, things begin to screw up slowly.
Mary Bloggins creates a sub-folder for a project. The ownership of that sub-folder is now:
Owner: Mary Bloggins, Modify Permissions: Department-AD-Group + Mary Bloggins
Mary is added as an individual with modify permissions on that folder despite her already being in the department AD group.
Then James Coulter creates a sub-folder inside Mary's sub-folder. Now that folder permission looks like:
Owner: James Coulter, Modify Permissions: Department-AD-Group + James Coulter
Along comes Jane Black who creates a sub-folder in James sub-folder. That folder has the following permissions:
Owner: Jane Black, Modify Permissions: Department-AD-Group + Jane Black
This is usually where we see issues where even through all three people are in the Department folder AD group, Mary cannot get into Jane Blacks sub-folder. To fix this we have to go to the root folder and reapply Domain Admin ownership and Group AD permissions to all folders, sub-folders and files back to:
Owner: Domain Admins, Modify Permissions: Department-AD-Group
This removes any individual ownerships from modify permissions and puts Domain Admins back with just the AD Group having modify permissions and all works again until more sub-folders are created.
This appears to be a serious bug where an individual creating a sub-folder has their user permissions added instead of the department AD group they belong to. The "Replace all child object permissions with inheritable permission entries for this object" setting should not allow this to happen and enforce the group ownership of new sub-folders and files. The user should never be added to the new sub-folder ownership nor have individual permissions added to that new folder.
The only fix I found so far is to reapply permissions from the root folder down, which when dealing with a global organization and millions of files is starting to be onerous.
Do you have the "CREATOR OWNER" ACL applied at the root level folder? Remove that.
You might be inheriting it from the drive root. Create a E:\DataTest folder structure and try it out first before you update the folder with millions of files.
@MotoX80 Some do, some don't. We disable inheritance on each root folder before applying the permissions , but as different people have set folders up, it is not consistent. Let me do some trials & experimentation.