9
3
On my computer running Windows XP Pro SP3 I have a folder on my desktop that is very important. How can I lock it so that I can alter anything in it, but the folder itself cannot be removed without resetting a (lock/unlock?) switch?
Xavierjazz
Posted 2011-04-16T19:25:38.053
Reputation: 7 993
16
You can set the "Delete" and "Delete subfolders and files" permissions to "Deny" under Properties → Security → Advanced.
user1686
Posted 2011-04-16T19:25:38.053
Reputation: 283 655
This requires XP Pro and will not work on the popular Home version. – paradroid – 2011-04-16T21:29:49.317
8You would still be able to access this menu by booting Windows XP Home Edition into Safe Mode. Since you only need to make the change once, it wouldn't be too much of a hassle. – nhinkle – 2011-04-16T21:30:45.337
@paradroid: XP Home just doesn't show the GUI, but one can use SetACL or xcacls, or grab a copy of icacls from Win2003.
@grawity: I know, but you have not stated that in your answer. I don't have much experience with Home myself, so I did not know you can get the menu in Safe Mode. – paradroid – 2011-04-16T21:33:37.520
I have XP Pro. I needed to find this information: http://geekswithblogs.net/ram/archive/2006/03/09/71789.aspx before I could see the above image (sort of) under "effective permissions". Thank you, +1. However still too complicated for me. My window is different, seems to require "Group or User Name" before allowing any access to the permissions. I assume that once I understand how to fulfill that requirement, the window will change to one similar to yours and I will be able to select what I want. Please see my next question in my next comment.
– Xavierjazz – 2011-04-16T22:02:56.207I have 1 more question. Based on your image, I would only deny "delete" so that all info in that folder is fully manipulable, which is what I want. Is that correct? Again, thanks. – Xavierjazz – 2011-04-16T22:04:05.800
1@Xavier: 1) It's not different, I just didn't include the username prompt. You can use "Everyone" as a name. – user1686 – 2011-04-16T22:05:59.317
1@Xavier: 2) Yes. – user1686 – 2011-04-16T22:06:19.817
2@paranoid: Try seeing if changing the SharingWizardOn value in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced will get you the screen in normal boots. – user541686 – 2011-04-17T00:10:03.280
Does xcacls actually provide a way to add a denial? – Random832 – 2011-04-17T01:36:12.053
@Random832: sure, xcacls /d Everyone:... – user1686 – 2011-04-17T15:38:24.990
On the site you linked, the /d flag is documented as only taking a user argument, not a user:perm argument. If I try the same with cacls, which is documented the same way on win7, it claims to not be able to understand the username with a : in it. – Random832 – 2011-04-17T18:18:47.297
-2
I'm afraid this is not possible.
Either you remove write permissions, and then it's read-only, or you allow writes and then it is also possible to delete (since this is considered as a write operation).
What I'd recommend if you have very important data is that you back it up, either locally or to be safer on a remote location; one good and easy option to achieve that would be to register for a dropbox account - that will allow you to recover the files if they happen to be deleted, and if you only use up to 2GB of data it is completely free.
Edit: For Windows (I read a bit too promptly), it is indeed possible to specify the permissions in a more fine-grained manner in the Security settings of the folder/files. You can not prevent an admin to assign itself the delete permissions though. In any case, if you're afraid of someone else deleted the files, I'd say a backup is still recommended. And if you're afraid of accidentally deleting the files.. Well back it up either way :)
Seldaek
Posted 2011-04-16T19:25:38.053
Reputation: 135
Thank you for your suggestion (+1) and response. This file is much too large to be "clouded" freely. I suspect you are correct, but I will wait a while before I accept your answer, just in case. Regards. – Xavierjazz – 2011-04-16T21:14:38.077
3Re "it is also possible to delete (since this is considered as a write operation)": This may be true for POSIX, but not for NTFS, which has distinct "create folders", "create files", "delete" and "delete child" permission bits. – user1686 – 2011-04-16T21:20:13.427
1Also, "Deny" permissions do apply to administrators. (However, administrators can always take ownership of any object, and the object's owner can always read and change the object's permissions.) Nevertheless, +1 for making a backup. – user1686 – 2011-04-16T21:29:34.277
@grawity: Fair enough. I just glared at the basic permissions and forgot to check the detailed list. Thanks for correcting. – Seldaek – 2011-04-16T21:29:46.023
If you're just trying to prevent accidental, non-malicious deletion, Grawity's answer will work fine, and it is completely possible. Obviously, if somebody is trying to delete the file and has admin access, there would be a way to do so, note he says "without resetting a (lock/unlock?) switch". – nhinkle – 2011-04-16T21:32:27.397
11Your folder is obviously not that important if the only copy you have is on the desktop of a single computer. You should always assume that your data will be completely unrecoverable the next day, and plan as you would if that were to be the case. – AttackingHobo – 2011-04-17T00:15:26.023
1Where does it say I don't have it backed up? – Xavierjazz – 2011-04-17T02:19:29.943
1I assumed that a person who wants to keep a folder from being deleted because it is important, that the person doesn't have backups, because if any of my important folders are deleted, I would just restore from backup. – AttackingHobo – 2011-04-21T00:44:33.003
1This is no answer or help. Did you read the question? – Xavierjazz – 2011-04-21T14:21:44.230
3And because it is not an answer or help I put it in a comment instead of an answer. – AttackingHobo – 2011-04-21T18:40:42.137