-1

Recently I was trying to restrics "delete" permission for usual users. To do that, I've done the following:

(translating from Polish Win version, may be small differences) Right mouse click on given directory -> Properties -> Security -> Advanced -> Change permissions -> I've unmarked first checkbox to stop inheriting permissions from parent dir -> I've added special permissions for users - "Delete" and "Delete subfolders and files".

As a result I cannot delete these files/directory as a normal user, it's asking me about admin password - it's great, as I expected. However when I input admin password, file is not deleted and there is an messabe box informing, that I need admin permissions to perform this operation. Also, when I try to repeat these steps for admin, it gives me the same result, I cannot delete files/directory on which I performed above changes, even when I'm logged as admin account on which I performed these changes.

Can anybody help me solving my problem? I don't understand, why denying delete permissions for users makes it impossible also for admin user...

To answer your first questions, hidden Administrator account was disabled and I was not using it, just used my admin account.

Mithical
  • 321
Kamil K
  • 3

1 Answers1

1

Deny ACE's are evaluated first and take precedence over everything else. If you want to delete an object that is inheriting a Deny ACE, you need to clear the inheritance flag, and then remove the Deny ACE from only that object.

Using "deny" to prevent delete is a very tricky business. Instead of granting Change which include Delete, grant only Read.

This explains in detail https://technet.microsoft.com/en-us/library/cc783530(v=ws.10).aspx For example, you might want to allow domain administrators to perform an action but deny domain users. If you attempt to implement this by explicitly denying domain users, you also deny any domain administrators who are also domain users. Though it is sometimes necessary, you can and should avoid the use of explicit denies in most cases.

Clayton
  • 547