We're running Windows Server 2003 R2 with Active Directory and are having an issue with network shares whereby users, in an attempt to secure their documents, remove everybody (including the Administrator account) from their files/folders permissions. Since the Administrator no longer has read permission to them, we can't even backup files manually as we get permission errors.

One solution that we've found is to change the owner of the files and directories to the Administrator account. We can then change the permissions as we wish. The problem is that this has to be done manually so can't really be applied to an entire share.

Another solution that we've tried is to use cacls as follows:

cacls d:\path\to\share /C /T /E /G Administrator:F

The problem with this is that we're still getting an ACCESS DENIED error on files/folders on which Administrator was removed.

Q1: Is there a way to restore at least read access to all files/folders to the Administrator account in a recursive fashion?

That would be for the short term. For the long term we're looking for a solution to prevent users from removing Administrator from files/folders permissions. Since we're going to migrate to Windows Server 2008 R2 soon we could wait until we've migrated to implement such solution if need be.

Q2: Is there a way to prevent users from removing Administrator from files/folders permissions on Windows Server 2003/2008?