Can you make the name and location of a directory read only, without affecting the files?

Question

I have many folders with job-related files on a server, which many employees access. Folders are constantly being dragged around and renamed by accident. Can I make the folders read only, while still allowing other users to modify, create, and delete the files in them?

Answer 1

Though you can set the Read-Only flag from the folder Properties screen, Windows blithely ignores it, allowing the folder to be moved or deleted without UAC or even warning. Creating a folder as another user, e.g. Administrator, did not protect it from changes by other users with access to it, in my (admittedly brief) testing.

You can make a folder difficult to delete by creating a folder or file in it named con, lpt1 etc. This kluge will also make it difficult to manage the server when it's necessary to change the directory structure. You can't easily delete the folder directly, but you can rename it and then delete it. From @maranas:

• mkdir \.\C:\Users\username\Desktop\CON creates the folder.

• ren \.\C:\Users\username\Desktop\CON junq renames the folder, which can now be removed.

Linux takes security a bit more seriously, so you could create a folder on a Linux server and grant others access but not rights to move or delete it. Windows can easily access Linux folders over a network.

FTP or SFTP allows for the protection of folders, as opposed to a Windows network.

Also, Windows 10 has the concept of Controlled folder access, which might, or might not, meet your needs.

Answer 2

You can do this by fiddling with access control lists.

1. Open the Properties window of the top of the structure to be protected, switch to the Security tab, and press the Advanced button. This opens the advanced security editor.
2. Push the "disable inheritance" button and choose to copy the inherited access rules. This allows you to make the access list on this folder structure different than that of its parent.
3. Select the Allow rule that grants access to the group you want to restrict and push Edit.
4. Change the "applies to" setting to "files only." As opposed to "this folder, subfolders, and files," the "files only" choice does not make the granted access apply to subcontainers.
5. Click OK to save the changes to that rule.
6. Push the Add button to create a new rule.
7. Click the "select a principal" link and choose the same user/group that the previously adjusted rule applies to.
8. Change the "applies to" setting to "this folder and subfolders." This rule will grant limited access to the containers.
9. By default, all read-like permissions are granted. Click the "show advanced permissions" link in the upper right.
10. Check the "create files / write data" box. This allows users to add files to the folders. If you want them to be able to create new subfolders too, also check "create folders / append data." Note that (depending on other security rules) users might not be able to remove folders they accidentally create.
11. Click OK to add the new entry.
12. Check the "replace all child object permission entries with inheritable permission entries from this object" at the bottom.
13. Click OK to update the security on the folder tree.

Note that this will make Explorer seem to users like they can't create new files (templates aren't shown in the New submenu of the context menu), but saving files in such a folder works just fine.

Further note that users may still be able to alter or move the very root of the tree you adjusted due to the security on that folder's parent.

Caution! This procedure replaces the security settings of the entire directory tree. You should probably test it in a testing environment or a small subtree first to make sure that it does what you want.