# Fix homes share NTFS permissions using icacls
# Goal: remove BUILTIN\Users inherited read from all subfolders
# Allow Authenticated Users to create folders on the root only (not read siblings)

Write-Output "=== icacls fix for D:\Homes ==="

# Step 1: Remove BUILTIN\Users from root and all subfolders
$r1 = & icacls "D:\Homes" /remove "BUILTIN\Users" /T /C 2>&1
Write-Output "Remove BUILTIN\Users from root+children: $r1"

# Step 2: Grant Authenticated Users read+create-folder on root ONLY (no inheritance)
$r2 = & icacls "D:\Homes" /grant "Authenticated Users:(RD,AD)" 2>&1
Write-Output "Grant Authenticated Users root-only: $r2"

# Step 3: Disable inheritance on each subfolder and remove inherited BUILTIN\Users
Get-ChildItem "D:\Homes" -Directory -EA SilentlyContinue | ForEach-Object {
    $p = $_.FullName
    $n = $_.Name
    # /inheritance:d = disable, keep existing ACEs
    $r = & icacls $p /inheritance:d /C 2>&1
    Write-Output "  [$n] inheritance:d — $r"
}

Write-Output ""
Write-Output "=== Final ACL check ==="
& icacls "D:\Homes" 2>&1 | Write-Output
Write-Output "--- Subfolders ---"
Get-ChildItem "D:\Homes" -Directory -EA SilentlyContinue | ForEach-Object {
    Write-Output "  $($_.Name):"
    & icacls $_.FullName 2>&1 | ForEach-Object { Write-Output "    $_" }
}