4

I am trying to prevent users from accidentally deleting a certain folder in a parent folder, while still giving them modify permission on all other files and folders in the parent folder. But they should be also able to modify files and folders in this certain folder.

On this comment to a similar problem my problem is described very good, but there was no answer to this comment. https://superuser.com/a/977180/554054 This is my structur:

Folder A
|-Folder B
|-Folder C
| |+Folder E
| | |+ a.doc
| |+Folder F
| | |+ b.doc
| |+c.doc
|-D
  • Folder A - Read/Execute
  • Folder B/D - Read/Execute (inherited from A) + Read/Write/Delete for Fils/Subfolders
  • Folder C - Read/Execute (inherited from A) + Read/Write/Delete for Fils/Subfolders, EXCEPT for Folder E! This Folder shouldn´t be allowed to delete, but in the Folder the user should be able to read/write/delete subfolders and files.

i tried many different ways of permission combinations, but nothing worked. Has anyone an idea how to solve this problem?

Here are two screenshots of my Advanced Settings for the Folder E: Advanced Settings Folder E inherited special Permissions for the User "Bearbeiter"

Community
  • 1
Astrid
  • 51

2 Answers2

6

I am trying to prevent users from accidentally deleting a certain folder in a parent folder, while still giving them modify permission on all other files and folders in the parent folder. But they should be also able to modify files and folders in this certain folder

Prevent Folder Deletion or inadvertent Drag and Drop with NTFS security

If you want to prevent a specific folder from being deleted or dragged and dropped elsewhere, even if it has elevated implicit permissions, you can set an explicit DENY to the FOLDER ONLY for the user account or security group which you want to prevent this action from being performed.

You can complete this folder security lock down using ICACLS with a local path (e.g C:\Path\FolderA\FolderE) or a UNC path (e.g \\server\share\FolderA\FolderE).

Example ICACLS syntax to run from an elevated command prompt

ICACLS "\\server\share\FolderA\FolderE" /deny "<UserOrGroupNameToDeny>":(DE)

Permissions Used

/deny user:permission
   Explicitly deny the specified user access rights.
   This will also remove any explicit grant of the 
   same permissions to the same user.

perm is a permission mask and can be specified in one of two forms:
   a comma-separated list in parentheses of specific rights:
         DE - delete

What this does

Running the above with those options in that syntax will set an explicit DENY to the NTFS DELETE permission on that FOLDER ONLY to that specific user account of security group.

You can confirm the deny permissions to the folder for the user account or security group by:

  • right-click the folder you've used in the command,
  • Select the Security tab,
  • In the Group or user name: area scroll to or select and highlight the account or group you've used in the command,
  • In the Permissions for Administrators area you will see the NTFS permission attributes for Allow and Deny
  • You'll see a check mark in the DENY column of the special permissions row for the account or group you've used in the command

enter image description here

  • Select Advanced and go to the Permissions tab
  • Check for the Name (or Principal) value that you used in command, for DENY in the Type field
  • The Permissions (or Access) field should show Delete and the Apply to (or Applies to) will show this folder only

enter image description here

NOTES

Please note that unchecking an ALLOW DELETE attribute is not the same as leaving that in place as-is and then creating a separate NTFS ACL rule for this same security group or user account saying to explicitly DENY the DELETE security.

This solution does NOT disallow DELETE this way

(WRONG)

enter image description here

This solution WILL explicitly DENY DELETE at this level to THIS FOLDER ONLY

(CORRECT)

enter image description here

(CORRECT)

enter image description here

Further Reading and Resources

Vomit IT - Chunky Mess Style
  • 42,624
0

This is not possible. You can make a folder to not be able to be deleted by removing modifying rights, but that will cause all files in that folder to automatically get that same right, making it impossible for people to work on new files in that folder.

You can create subfolders and disable inheritance of rights to make people able to work in those folders, but you should move the remaining folders into a subfolder or decide against doing this.

You can also give files different rights than their parent folder, but that would only allow people to edit existing files, including deleting them. But when they want to copy or create a new file in this folder they can't.

Also, please note that the filesystem you're suggesting is bad practice. You'll want to set the permission on a as high level as possible, setting inheritance to all subfiles. The reason is, that you can push rights down to all child folders. If this is done from a higher folder, all rights are removed.

But sufficient to say, it is not possible to make it so that a folder cannot be deleted/moved while its content can. If deletion is of a great concern to you, enable Volume Shadow Copy and optionally a backup. If a folder is moved, it will be moved inside VSS also. If deleted, you can simply undelete from VSS (restore previous versions). If moving is of a concern and you can't find where it was moved to, make a daily backup and of course, you can always try to instruct people to simply not delete/move these folders.

This kind of action is usually because people simply are not aware they are not supposed to move them, and delete by accident can be undone using VSS.

LPChip
  • 66,193