Use this Powershell script to analyze the folders to find out which folders do not inherit permissions from their parent folder.
Then you can fix the permissions manually, or use the folder names to build icacls commands to add the desired access.
cls
$target = 'C:\Temp\'
$folders = Get-ChildItem -path $target -Directory -Recurse
"These folders do not inherit permissions from their parent folder."
foreach ($f in $folders){
$acl = get-acl $f.FullName
$aces = $acl.Access
$FoundInherited = $false
foreach ($ace in $aces) {
if ($ace.IsInherited -eq $true) {
$FoundInherited = $true
}
}
if ($FoundInherited -eq $false) {
$f.fullname
}
}
I don't like granting access to individual users on server file systems. In my case, when those users quit the company, their accounts got deleted. Then I would get a request for the new employee to have the same access as the terminated employee. I would have dead SID's on the file system and I had to try to figure out where to grant access to the new account.
Always grant access by a group. Then you can just add/remove users from the group as their roles change.
Also check to see if the application support team has the ability to change permissions on the file system. If they publish the web site, that might overwrite the permissions. When I defined a new site in IIS I also created local security groups to allow the web site owners to manage their groups using a security web site that I built. Only server administrators were allowed to modify file permissions. The application team could only add/remove users from their groups.
Before I implemented that policy, I spent entirely too many hours troubleshooting the exact same problem that you are facing.