We have a situation where we want to give a certain account read access to a large portion of our DFS structure. For simplicity sake, lets pretend that the entire DFS is contained on one volume (this is not the case but will make the discussion easier). So we have a bunch of folders under the X: volume on a file server. Some of these folders inherit their permissions and some haev broken the inheritance for various reasons and therefore have explicit permissions.
Example: X:\level1 will have userA will have read rights, but folder x:\level1\level2 will not have the "Include inheritable permissions from this object's parent." checked in the advanced security tab, and therefore will have explicit permissions and doesn't inherit permissions from X:\level1. Folder x:\level1\level2 will not have an entry for userA at all, and has a userB entry with full control rights.
If for the above example, I want to create a new user, called userRead and give him read rights on both X:\level1 and X:\level1\level2 (and subsequent X:\level1\<level X> folders) I don't know of a way of doing this, other than manually adding the userRead entry for each folder. If I put userRead into the security settings for X:\level1 and then check "Replace all child object permissions with inheritable permissions from this object.", it will put the userRead entry into X:\level1\level2 security permissions, but will also put the userA permissions as well as remove the userB permissions.
Does anybody know of a way to push down one single entry, without removing all the explicit entries? I imagine I could create some sort of a script that would somewhat automate teh otherwise manual entry, but that won't really help that much with how large our DFS structure is. Any help would be apprecaited.