How to prevent users from deleting a folder, while still giving them modify permissions to its contents?

23

3

I am trying to prevent users from accidentally deleting certain folders (such as their personal scan destination folder - stored in their home drive), while still giving them read+write permissions to the contents of these special folders.

My experimentation with various different NTFS permission combinations has been unsuccessful, as I find that the users are either unable to access the contents... or able to delete the parent folder.

How can I do this?

enter image description here

Austin ''Danger'' Powers

Posted 2014-02-23T05:41:54.003

Reputation: 5 992

Answers

14

As Graham pointed out, using multiple permissions entries for the same user (something I had never tried before) was the key here:

enter image description here

The permissions on the parent folder give the users almost absolute freedom to make any change... except that the "delete" box is unchecked - so users cannot delete/move/rename this important folder by accident:

enter image description here

Moving on to the second permission set for the same user (which apply not to the folder itself, but to its contents), we see the exact same rights granted to the user, including "delete" privileges.

So, users can do anything they wish to the subfolders and files, including deleting/moving/renaming them.

enter image description here

This configuration allows me to protect key folders, such as personalised target scan directories which reside in user personal network locations. Users can modify the contents (such as deleting PDFs of scans they no longer wish to keep), but cannot inadvertently cause problems for themselves by deleting a folder the scanner expects to see when saving to the network.

I had to disable inheritance for the special folder as it was otherwise not possible to make changes to the user's permissions which varied from the root of the network share; however, all subfolders and objects do use inheritance in order to obtain their permissions from their parent folder.

Once I figured out exactly what needed to be done, this only took a couple of minutes to adjust for each user. I now have peace of mind that key network folders cannot accidentally get deleted by users.

Austin ''Danger'' Powers

Posted 2014-02-23T05:41:54.003

Reputation: 5 992

Huh... I am doing exactly what you did for the permissions and it will not work at all for me for some reason... It still lets me delete the folder... I set it up using the "Everyone" as the user. – Radical924 – 2014-12-16T23:00:10.803

I could help you but I'd need more specific information than you've given so far :) – Austin ''Danger'' Powers – 2015-01-28T01:57:17.777

1I just wanted a way with permissions to prevent myself from accidentally deleting the folders but not the items inside. When I set the permissions as instructed above it still let's me delete the folders. – Radical924 – 2015-01-28T20:28:27.617

I need to see a screenshot of your permissions to see where you're going wrong. Try asking it as a question on this site (with relevant permissions screenshots) and it will be easy for me to tell you why this isn't working :) – Austin ''Danger'' Powers – 2015-01-30T11:23:49.657

I have it setup exactly the same as above. So I mean realistically the images above are what you'd be looking at. Idk maybe it is because I have admin privileges or something. Me making a post isn't going to help IMO. – Radical924 – 2015-01-31T03:29:49.080

You would have had a definitive answer to this days ago if you posted the appropriate screenshots. We can't answer this one based on your description (only make guesses). You could be a domain admin or a member of a group with domain admin rights... or something else along those lines. Ok, well I suggest you look at the groups you are a member of until you find something which could explain the access. – Austin ''Danger'' Powers – 2015-01-31T08:12:12.140

1

The folder should have read permission, delete subfolders and files, create folders /append data, create files / write data, read attributes, list folder / read data, traverse folder / execute file and that's it. The contents should be full control. This combination should (assuming correct ownership of the files and correct user creation and administration) allow your users to have access through the folder to it's contents, without them being able to delete or modify the folder itself.

George Spiceland

Posted 2014-02-23T05:41:54.003

Reputation: 391

How should I set the permissions for full control on the parent folder? When I disable inheritance to the parent folder to allow the removal of the "delete" permission to "this folder only" on the parent folder, the user's permissions entry on all child objects is also removed. This is unexpected - I thought the user's permissions on the child objects would have been inherited from the root of the share (something it continues to do for other users). I want the user to inherit all these read/write permissions from the grandparent folder, so that the user automatically has access to new scans. – Austin ''Danger'' Powers – 2014-02-23T06:07:58.113

"The contents should be full control". How do I configure it so that each scanned document that gets saved to this folder automatically gets (inherits?) read/write permissions for the user? Right now, if I enable inheritance for the contents, they only inherit the restrictive permissions on the parent folder... leaving the user unable to access the contents. – Austin ''Danger'' Powers – 2014-02-23T06:39:32.670

1In your screenshot, the dropdown for "Apply onto" is the key. You need to add two sets of permissions - one for "This folder only" and one for "Subfolders and files" – Graham Wager – 2014-02-23T07:40:55.570

Graham, do you mind editing my answer to add your information to further clarify? I didn't think to mention it myself, and I'm glad you could assist us with that. – George Spiceland – 2014-02-23T17:36:25.920

@GeorgeSpiceland: beat you to it! :) – Austin ''Danger'' Powers – 2014-02-24T00:40:39.517

1@Austin''Danger''Powers I'm never upset to have a better answer beat me. :) – George Spiceland – 2014-02-24T01:40:29.753

1Haha, I would have posted an answer but I was on mobile at the time. Glad I could help though :) – Graham Wager – 2014-02-24T11:54:36.280

1

The ability to delete something from a folder is usually dependent upon the permissions assigned by the parent and not the folder itself (i.e. You can't say: "Don't delete me"). So this means you need to control the delete permission of the folder itself in the permissions of the parent of the folder.

For example:

A
|-B
| + a.html
| + b.html
| + c.html
+-C
  + a.doc
  + b.doc
The ability to delete "a.html" is controlled by "B" (or inherited from "A"). So if you want to stop being able to delete "B" then you need to set the permissions properly on "A". This gets rather annoying when you want to be able to delete "C" but not "B". Sometimes assigning the ownership of a folder (but not its contents) to a separate user is easier and more obvious.

Bill

Posted 2014-02-23T05:41:54.003

Reputation: 81

0

If Austin Power's answer is not working for you here's two other options

Option 1

Just create a sub-folder with one empty text file and take away access for them from the users you wish to protect.

How does it work?: Since the users can't delete the file in the sub-folder they also can't delete the sub-folder and the parent folder.

Caution!: If you try to delete the parent folder you will indeed fail but only after everything inside has been deleted (except of course the special folder/file).

Option 2

Follow this procedure Prevent Folder Deletion or inadvertent Drag and Drop with NTFS security

ndemou

Posted 2014-02-23T05:41:54.003

Reputation: 491

Asked: 2014-02-23T05:41:54.003

Viewed: 137 410 times

Active: 2018-08-28T13:39:50.563