Grant MODIFY on "All Subfolders and Files" with icacls, but only give Read to top level folder

One of our Windows servers that has some user folders on it has some pretty screwed up permissions. What I want it for SYSTEM and Domain Admins to have full control of all folders. I want the users to have read only on the top-level folder (which is their home folder) and modify on all subfolders and files. This can easily be accomplished through the GUI, but I can't figure out how to script it.

I'm calling icacls from my PowerShell script, because get-acl and set-acl are a major PITA. If I have to use them, I'm not opposed to it, but I imagine that calling icacls will be easier. This is the relevant code that I have to far:

icacls.exe $folder /grant '$domain\$user:(OI)(CI)(M)'
icacls.exe $folder /grant 'SYSTEM:(OI)(CI)(F)'
icacls.exe $folder /grant '$domain\domain admins:(OI)(CI)(F)'

As you can see, I'm giving modify to the user for everthing with icacls.exe $folder /grant '$domain\$user:(OI)(CI)(M)'. I can't figure out how to make that Modify apply only to subfolders and files while granting read-only to the top level folder.

The desired permission structure would look like this (just for clarity):

-Users  
--M  
---Marra (read only to me)  
----Documents (Modify)  
----Scripts(Modify)  
----Etc (Modify)  

What is the right icacls syntax for this, or how can I do it natively in PS with set-acl?

That's accurate to answer my question, but I need the users to be able to create files and sub-folders. To do that, I needed to use (R,WD,AD) for the top-level.

wouldn't the OP want /grant:r to replace any previouly granted explicit permissions? If it's screwed up, don't you want to replace what's there?

@JJS, /grant:r probably wouldn't do anything useful in this case, because it only removes permissions that match the specified inheritance flags. I find the /reset option simpler to use.