Thank you for the reply. Let me clarify the goal:
Set ICACLS permissions on the DM (the parent) folder so that all domain users have list folder and read permissions. That will allow regular users to locate the documents and view them. These users will not have any ability to delete, modify or even add new files anywhere in the DM structure (the parent folder and all sub-folders). I expect to use the built-in "Everyone " group to represent these users.
One specific user will get one additional permission: "Scanner_Operator" will have the ability to add new files in addition to the permissions granted Everyone above.
Finally, the domain administrator will have full control to add, delete, modify and write anywhere in the structure.
There are current year folders ("2021", for example) where Scanner_Operator is adding documents throughout the year. There are prior year folders (like "2019", for example) that are historical and should never change again. Scanner_Operator will only have permission to add to the current year folders and that permission will be revoked following end of year.
First question: Please clarify which ICACLS permissions are appropriate to make this work as described and how that will apply to users and groups. For example, I think that domain admin is a member of the built-in "Everyone" group. So if I assign a deny permission to group Everyone, will that also block domain administrator? Do permit permissions override deny permissions?
Second question: Please provide an example command that will recurse the DM structure and only change permissions on folders named exactly "2021". At the end of the calendar year, I will be modifying the permissions on thousands of current year folders named "2021". So I need a command that will recurse the DM structure and only change the permissions on the thousands of sub-folders named "2021".
Thanks very much - I appreciate your assistance!