Hi,

As the "Everyone" security principal is inheriting full control permissions to all subfolders in the volume (user home directories) this implies that you have not modifed the default permissions that are applied when an NTFS volume is created. I'd recommend you fix this by either creating a Active Directory group for Data administrators and applying full control permissions to that group at volume root.

For example when creating a new volume (before presenting it to users) you should set the permissions and remove everyone:

icacls.exe "\\vserver1\volume1$" /Grant "BUILTIN\Administrators":(CI)(OI)F
icacls.exe "\\vserver1\volume1$" /Grant "TESTLAB\NetAppDataAdmins":(CI)(OI)F
icacls.exe "\\vserver1\volume1$" /remove Everyone

Also when you create user home directories you will need to explicitly set permissions to grant the user access.

For example:

icacls.exe "\\vserver1\users$\user1" /Grant "TESTLAB\user1":(CI)(OI)M

In your case as the volume is in use with the default permissions you will need to run the commands in a specific order to prevent an outage. first add permissions to your administrators groups (wait for that to finish). Once complete set explicit permissions on any qtree's and users home directories (wait for that to complete). Finally remove the permissions to everyone from the root of the volume.

Hope that helps.

/matt

Note: if you'd prefer to automate it and not use a command line then you can use .NET class "System.Security.AccessControl.FileSystemAccessRule"