Windows permissions - don't allow user to delete file, even if they are the owner

permissions windows-7 windows-server-2012 windows-server

I have a user account set up so that it can create folders/files, but it can NOT delete folders/files created by other users; however, they still can delete folders/files that they have created. I do not want them to be able to do this.

Is there a way I can disallow users from deleting things, even if they are the owner/creator?

Or, can I automatically change the owner of a folder/file to admin when it is created, therby blocking the general user account from being able to delete it?

Any ideas or suggestions?


Solution 1:

The key is that users can delete a file if the file's ACL entitles them to delete it or the containing directory's ACL gives them the delete-child permission. You need to make sure that this limited user doesn't get either permission. On the special folder from which they shouldn't be able to delete files, assign them the following permissions in the Advanced Security Settings window:

  • Allow "traverse folder / execute file", "list folder / read data", "read attributes", "read extended attributes", "create files / write data", "create folders / append data", and "read permissions" on "this folder and subfolders"
  • Deny "delete subfolders and files", "delete", and "change permissions" on "this folder, subfolders, and files"
  • Allow full control on "files only" (this will be moderated by the previous deny rule)

But because this user is the owner of any files they create, they are entitled to change the permissions to allow deletion. The last piece of the puzzle is the arcane OWNER RIGHTS principal. You can type that phrase right into the user selection dialog where you would usually type the name of a user or group. Create one last rule on the folder that grants only "read permissions" on "subfolders and files only" to OWNER RIGHTS. Then the only advantage of being the owner of a file in that folder is that it guarantees ability to see the ACL, but not to change it.

Solution 2:

Prevent NTFS Object Owners From Changing Permissions

If users access their data through a Windows network share, a system administrator can prevent the Owner of an NTFS file or folder from changing permissions by not granting the Full Control share permission:

enter image description here

Credit to this article for the concept.

Therefore, whatever permissions are granted to users in the first place will remain in effect, even for object owners, as they won't be able to exercise their ability as Owner to grant themselves permissions not permitted by the server administrator.

Related

Visualize files and directories
Add Google as Default Search Provider for Windows 8.1 IE 11
Is there a windows program that will log a reason for copying a file to a folder?
Does it shorten the life of CPUs/GPUs to be running all the time as opposed to idling? [closed]
Cache updates when migrating DNS from one provider to another
TCP Sessions and IP Changes
How exactly does "silent" authentication using matching local accounts on a Windows network work?
Gmail and other private servers mark legitimate email as SPAM
Server clock running too slow
Hyper-V dynamic memory not correctly assigning more memory
Will my EC2 Spot Instance Volumes Die with the Instance?
Configuring sendmail to archive a copy of any outgoing message