You could try setting inheritable ACE on top-level directory. As long as users did not add explicit Deny entries or did not block inheritance it should suffice. Note that explicit denials always override explicit grants, so just adding ACE may not be sufficient anyway.
I don't know whether they did anything explicitly. Unfortunately it doesn't let us see any permissions or settings. My account is a domain admin and I'm also in the administrators group on the filers.
You can use "fsecurity show" on filer to dump current ACL. Could you paste example for one of inaccessible files?
Did you try setting top-level inheritable ACE? It should not override any ACL on contained files.
We looked into this, but not having permissions to a variety of sub- directories the icacl command doesn't see into these directories. We could try to force permissions down the trees, but even if it works, we're potentially adding or removing access to groups currently being hidden. We're reluctant to blindly do this.
But it may not work if access to folders/files is blocked. In this case it is possible to create task that runs as e.g. SYSTEM to do it.
Would you elaborate on this? Where would this job run from and how would it end up with access?
Sorry, I was wrong here. It is possible to do it on Windows (running job as SYSTEM account) but of course it won't help when accessing something over network.