NTFS Permissions - deny delete does not work

Hopefully you guys will be able to help me out.

=========================

Scenario:

FolderA > FolderB

FolderA Permissions (no inheritance):

This Folder Only

Deny Delete

Allow everything else

Subfolders & Files

Allow everything

========================

With such configuration, I should be able to do everything into FolderA, but not delete or change the name of it, however is not working. I'm still able to delete and change the name of FolderA.

Thanks Heaps

Gabriel

Gabriel Teixeira

Posted 2014-09-23T02:06:26.263

Reputation: 63

Can you please provide the following details. I'm facing similar issues. 1) Output of "icacls" on folderA , any object/container within folderA. 2). What user have you logged in as to delete the folder ? 3) Which user have you denied the delete permission to ? . If users 2) & 3) are different, maybe that's the reason – Dhiwakar Ravikumar – 2014-09-23T09:34:51.840

Hi there...1) FolderB is actually inside FolderA. 2)Just admin can delete folder. 3) Test user cannot delete folder (test user is not part of administrator group). Problem is.....after such permissions...test user is still having access to delete folder. – Gabriel Teixeira – 2014-09-25T04:10:06.650

Answers

You have to take into account that deleting/renaming a file is actually a write operation on the parent folder which is a special "file" that contains the list of children (files or subfolders). As such to prevent deleting a file, you need to remove the write permission on the parent folder.

see kb 308419 for an explanation:

The Delete permission allows or denies the user from deleting the file or folder. If you do not have a Delete permission on a file or folder, you can delete the file or folder if you are granted Delete Subfolders and Files permissions on the parent folder.

Guillaume Gros

Posted 2014-09-23T02:06:26.263

Reputation: 54

Hi there.....the parent folder (FolderA) has got its permissions changed to deny delete and write (this folder only)......user have full control of everything underneath(FolderB Subfolders and files only). Even though FolderA has got deny permission for delete and write, users are still able to do so. – Gabriel Teixeira – 2014-09-26T01:01:32.370

Can confirm that this absolute DOES NOT WORK, on windows 10. Even with Everyone set to deny both writing and deleting on the parent and the files, you can still delete both. – Jonathon – 2016-04-06T22:01:31.273

To properly deny access to delete from the parent folder only and allow deleting from the subfolders you have to set two sets of permissions for the user/group.

Allow read write modify. This is important: keep "delete subfolder and files" checked off but uncheck "DELETE". I have found that if a user has permission for "delete", any deny permissions will not work! This should be applied to this folder, subfolders, and files.
DENY the user delete and "delete subfolders and files" and apply to this folder only.

I spent a lot time figuring this out and it works!

Asher

Posted 2014-09-23T02:06:26.263

Reputation: 11