A bit of terminology first:
ACE - Access Control Entry - is a single entry in an ACL, such as "GroupA - Read"
ACL - Access Control List - is a collection of ACEs
Effectively the below command adds an ACE to an ACL.
I recommend reading the following article before proceeding:
How Security Descriptors and Access Control Lists Work
Thiws KB article provides documentation for ICACLS:
Now the magic command:
icacls "f:\user" /grant builtin\Administrators:(OI)(CI)(F) /T /c
The above command will grant Administrators group Full Control permission on folder F:\USER as well as on all sub-folders without affecting inheritance or propagating any other ACEs - this is the key. We have to make sure that a user executing the command has full control permission on all folders.
We can replace "builtin\Administrators" with a domain group for example:
icacls "f:\user" /grant securesenses\Access:(OI)(CI)(F) /T /c
Test thoroughly before proceeding!