I am currently working a contract with a company running their file shares on dfs on 2008 R2. They would like to update to 2016, and migrate all data to a different SAN provider. Normally this would not be an issue, but I have (as always seems to be the case) run into a bit of a rub.
For each of the shared drives, the company policy has been to create a RO and RW security group in A.D., and control NTFS permissions through these groups. There are literally hundreds upon hundreds of each group, covering folders and subfolders and third-grandchildren folders.
On top of this horrible structure, a LARGE number of folders were deemed "too private" for anyone but a select few, and thus have inheritance broken on them. Still more on top of this were deemed "way too private" and even the administrators were removed. So even as an Enterprise Admin there are many directories I get an access denied on.
While the removal of admin access is bad enough, with the broken inheritance it means that in a particular directory with 15 subfolders I may only see 6. So I end up "not knowing what I don't know" as I can't see the folders I have no access to.
So I am just looking for suggestions on a best practice way to go about resolving this, at least to the point where I know what I don't have access to, so I can then put it back on the directory owner to move their own data to the new dfs root. The only thing I can think of is to do an initial trial copy of data, and just record what directories it fails on, but I am concerned the ones I cannot even see won't throw an error. With ~80TB of data to go through, it is looking like it is going to be a nightmare.