It probably is offbox. I would open a case. For some reason reading your description my first thought was ransomware. It doesn’t make sense since you can still access data but you might make a clone of the volumes or ensure you retain snapshots on your secondary SnapMirror location. It doesn’t match what we have seen ransomware do but I had a feeling reading what you said. At the very least you’ll have a backup. 

Since it involves looking at logs I would just open a case. If it is like a home directory request a p1 since that would be an outage. 

Sorry I should clarify, if this is a lost access situation and you can’t get it to where users can access their data. 

Its not ransomware. You have a volume and you have a share. You create a folder in that share and it inherits the root permissions. The question is, if you lost access to the root, how would you for example take ownership back?

If the share = \\SVM\Users$ and you access this share, create folders here, they inherit permissions from user$. The only way I know how to change the NTFS permissions on the Users$ is to pin the folder in explorer, then I can right click it and modify the permissions. But lets say someone went in and removed my ntfs access from users$, the folder would disappear and I would not be able to even see the folder. If I try to go to \\SVM\Users$, I would get access denied. The share permissions are still intact and visible on  netapp, but the ntfs permissions are now wrong and im locked out. So how can you view / take ownership back of the Users$ root folder?

I agree. I just had a feeling...IDK why.

Ok I understand now, you can view / change the permissions via SSH command line.  Found it under the CIFS 

Example

cifs share access-control modify -share USERS$ -user-or-group MYGROUP -user-group-type windows -permission Full_Control