How to prevent users from deleting one folder, while still giving them modify permissions to other files and folders?
I am trying to prevent users from accidentally deleting a certain folder in a parent folder, while still giving them modify permission on all other files and folders in the parent folder. But they should be also able to modify files and folders in this certain folder.
On this comment to a similar problem my problem is described very good, but there was no answer to this comment. https://superuser.com/a/977180/554054 This is my structur:
Folder A
|-Folder B
|-Folder C
| |+Folder E
| | |+ a.doc
| |+Folder F
| | |+ b.doc
| |+c.doc
|-D
- Folder A - Read/Execute
- Folder B/D - Read/Execute (inherited from A) + Read/Write/Delete for Fils/Subfolders
- Folder C - Read/Execute (inherited from A) + Read/Write/Delete for Fils/Subfolders, EXCEPT for Folder E! This Folder shouldn´t be allowed to delete, but in the Folder the user should be able to read/write/delete subfolders and files.
i tried many different ways of permission combinations, but nothing worked. Has anyone an idea how to solve this problem?
Here are two screenshots of my Advanced Settings for the Folder E: Advanced Settings Folder E inherited special Permissions for the User "Bearbeiter"
Solution 1:
I am trying to prevent users from accidentally deleting a certain folder in a parent folder, while still giving them modify permission on all other files and folders in the parent folder. But they should be also able to modify files and folders in this certain folder
Prevent Folder Deletion or inadvertent Drag and Drop with NTFS security
If you want to prevent a specific folder from being deleted or dragged and dropped elsewhere, even if it has elevated implicit permissions, you can set an explicit DENY to the FOLDER ONLY for the user account or security group which you want to prevent this action from being performed.
You can complete this folder security lock down using ICACLS with a local path (e.g C:\Path\FolderA\FolderE) or a UNC path (e.g \\server\share\FolderA\FolderE).
Example ICACLS syntax to run from an elevated command prompt
ICACLS "\\server\share\FolderA\FolderE" /deny "<UserOrGroupNameToDeny>":(DE)
Permissions Used
/deny user:permission
Explicitly deny the specified user access rights.
This will also remove any explicit grant of the
same permissions to the same user.
perm is a permission mask and can be specified in one of two forms:
a comma-separated list in parentheses of specific rights:
DE - delete
What this does
Running the above with those options in that syntax will set an explicit DENY to the NTFS DELETE permission on that FOLDER ONLY to that specific user account of security group.
You can confirm the deny permissions to the folder for the user account or security group by:
-
right-clickthe folder you've used in the command, - Select the Security tab,
- In the
Group or user name:area scroll to or select and highlight the account or group you've used in the command, - In the
Permissions for Administratorsarea you will see the NTFS permission attributes forAllowandDeny - You'll see a check mark in the
DENYcolumn of thespecial permissionsrow for the account or group you've used in the command
- Select Advanced and go to the Permissions tab
- Check for the
Name(orPrincipal) value that you used in command, forDENYin theTypefield - The
Permissions(orAccess) field should showDeleteand theApply to(orApplies to) will showthis folder only
NOTES
Please note that unchecking an ALLOW DELETE attribute is not the same as leaving that in place as-is and then creating a separate NTFS ACL rule for this same security group or user account saying to explicitly DENY the DELETE security.
This solution does NOT disallow DELETE this way
(WRONG)
This solution WILL explicitly DENY DELETE at this level to THIS FOLDER ONLY
(CORRECT)
(CORRECT)
Further Reading and Resources
- ICACLS