How to make a folder read-only in Windows?

So I want to prevent myself writing into some files into folder. I always works with back_up folders in which I compare, transfer data to target projects. The problem is that sometimes on mistake I edit the Back-Up files. Is there any way I can deny the edit/write permission for myself? I don't want files to be renamed/deleted. Setting the folder read only flag is something that does absolutely nothing - after that I can edit/delete files with no problem again (at least in Win 8.1). This is very important for me - because for now I've corrupted many back_up files that way and this give me a lot of trouble. Any ideas?

I'm running latest version of Windows 8.1 x64.

Nemo759

Posted 2015-01-23T07:32:23.337

Reputation: 329

What is the filesystem type of the disc where you placed the backup folder? NTFS or FAT? – Werner Henze – 2015-01-23T08:07:16.097

1When you right click a folder/file and go to it's properties, do you see a "Security" tab? – txtechhelp – 2015-01-23T08:11:04.097

It does. The FS is NTFS. – Nemo759 – 2015-01-23T08:53:01.103

This would be helpful for version tracking to prevent accidentally overwriting old file versions. (v1, v2, v3, etc) – Stevoisiak – 2017-06-29T16:21:31.507

@McDonald's It's a single folder containing the files. Each time I make a change, I do "Save As" and increment the version number. However, sometimes I accidentally hit "Save" and overwrite my file – Stevoisiak – 2017-06-29T22:49:39.327

@McDonald's I don't plan on purging. This is for a corporate environment where multiple versions are written and revised fairly often. I'm already up to v19 for one document. – Stevoisiak – 2017-06-29T22:53:21.157

@StevenVascellaro Ya, I've heard that before, and in a few corporate environments, so I'm familiar with that requirement.... everybody has to keep everything and forever per rules, regs, CYA, etc.!! Whatever floats your company's corporate policy adherence and compliance boat is fine by me. – Pimp Juice IT – 2017-06-30T06:02:32.287

Answers

Original answer:

If it's NTFS, you can use the file system security feature.

Edit the folder's "security" tab, I'm assuming you didn't change them before: delete "authenticated users", it may warn you that you must disable inheritance first, do so in the "advance" option.
Make sure UAC is on.

Now when you try to edit/add/delete anything inside that folder, UAC will warn you, you can even set it to higher level that you must enter your password every time.

Edit: The above method is a fool-proof easy guide, which only apply to Windows Vista+ and require admin rights, and untempered file/folder security settings to start with.

However if you understand the principle behind, you can do this on nearly any Windows version with NTFS, on any user account.

Assume your normal working account is A, and another "safe" account is B, you can set the folder owner to B and give full privilege to it (don't forget to check "replace all child object permissions with inheritable permissions from this object"), then add account A as read-only, and now you can only write to it with account B, while still read/use it in the daily account A.

Without administrator rights, you cannot remove administrator from the access list, nor change the owner if it was administrator. But the method should work anyway, also if you create the folder, the owner should be default to you.

PS. All above are based on my experience, welcome to advice if you have better method.

Sam

Posted 2015-01-23T07:32:23.337

Reputation: 950

What if we don't have administrator rights? – Stevoisiak – 2017-06-29T16:03:50.397

_{It's a single folder containing the files. Each time I make a change, I do "Save As" and increment the version number. However,
sometimes I accidentally hit "Save" and overwrite my file – Steven
Vascellaro}

How to make files within a folder read only accessible

You can use ICACLS and explicitly deny the write attributes permission to all the files within a specific folder and prevent yourself (or any security group) from overwriting or modifying these files but still allow read access to open them.

Below is a batch script with environmental %userdomain%\%username% variables to define the current domain (or local machine name) and username signed onto the machine you execute the batch script as (i.e. <domain>\<username>) to deny the access to the account; this can easily be replaced with any valid domain security group name if needed as well (i.e. <domain>\<securitygroupname>).

Batch Script

Replace the value of the Folder= variable to be the full explicit folder path (or UNC path) to the location you need to make the existing files within read only accessible.

@ECHO ON

SET Folder=C:\Users\User\Desktop\Test
SET Security=%userdomain%\%username%

ICACLS "%Folder%\*" /deny "%Security%":(OI)(WA)
EXIT

If you look at the file ACL permissions, you will see the write attributes with an explicit deny now that applied to this folder and files.

Here's a folder with test documents with V1, V2, and so on which has already had be batch script run against.

If you try to save the file the save as dialogue will pop up, and if you try to overwrite the file that already exists with the same file name, you will get an access denied error message since that file is read-only accessible for this account.

You simply do a save as, give the file a different name but to the same folder which you locked down all the files to be read only accessible, and this is where you'd increment your number up by one or whatever.

Any newly saved files in this folder will now have the write attributes denied and thus these permission restrictions are applied to it effective immediately once the file with the new file name is saved to this folder.

Further Reading and Resources

Environment Variables

ICACLS

/deny Sid:perm explicitly denies the specified user access rights.
    An explicit deny ACE is added for the stated permissions and
    the same permissions in any explicit grant are removed.

WA - write attributes


    inheritance rights may precede either form and are applied
    only to directories:
(OI) - object inherit

Pimp Juice IT

Posted 2015-01-23T07:32:23.337

Reputation: 29 425

Will this need to be re-run any time I save a new version to the folder? If so, my current solution of occasionally re-marking the entire folder/subfolders as read-only seems to work equally well. – Stevoisiak – 2017-06-30T13:21:42.073

I want to restrict the option of overwriting existing files, but I want to be able to save new files to the folder. Essentially, I want the files to become "read only" once they have been created. In hindsight, I think this may have been more appropriate as separate question... – Stevoisiak – 2017-06-30T15:11:47.643

1@McDonald's There's no need to repeatedly apply this ACE to files as they're created. Instead, your answer could be made better by applying the Deny Write Attributes ACE to the Folder, but with the Apply to: Files only setting. This would affect all current and future files and never require re-running the script to apply the ACE to individual files. – I say Reinstate Monica – 2017-06-30T18:27:32.920

2@StevenVascellaro You're probably correct this should have been a separate question. The original question doesn't explicitly state that the OP wanted to be able to add files to his folder. In fact, his opening statement is "I want to prevent myself writing into some files into folder." What you and he are asking are solved differently, especially since it's impossible with NTFS to prevent BOTH creating AND renaming/deleting files. – I say Reinstate Monica – 2017-06-30T18:37:29.340

1@McDonald's Another way to improve your answer would be to have a script that periodically modified all existing files to add the Deny Delete ACE. While there's no way to do this in advance via NTFS permissions set at the folder level, this would satisfy the request of not being able to delete/rename existing files. – I say Reinstate Monica – 2017-06-30T18:39:37.737

@StevenVascellaro As Twisty suggested, I've updated the answer to include the syntax to set the permission to apply only to This folder and files so now you only need to run the script once for it to work as expected. Big kudos to Twisty for spotting that and mentioning it. It was as simple as adding the (OI) to the script so my answer is updated accordingly. – Pimp Juice IT – 2017-06-30T20:31:32.843

@McDonald's The solution did not work, likely due to corporate-specific file permissions. However, I have realized my issue is outside this question's scope. I am awarding you the bounty as thanks for the significant effort you've shown towards helping me with my issue. – Stevoisiak – 2017-07-03T14:41:17.480

Romeo is correct, you can make your individual files read-only that way through the properties, but you won't be able to protect it from deletion.

A further suggestion, if you'd like to quickly change multiple files to read only.

Open up a command prompt and enter the command attrib +r [path] taking advantage of the wildcard *

Norr

Posted 2015-01-23T07:32:23.337

Reputation: 109

This is helpful, but it only affects existing files. The OP wants to have the read-only status apply to new files also. – I say Reinstate Monica – 2017-06-30T18:32:45.207

-3

Right click on folder, Properties, below Attributes, set ReadOnly, Apply.

This will make all files in this folder (and subfolders if you select) to be only for read. When you try to save R/O file the software will offer you to Save As different name

Romeo Ninov

Posted 2015-01-23T07:32:23.337

Reputation: 2 062

็However in this method I can still delete files. – Nemo759 – 2015-01-23T07:40:26.913

I am sorry, but you try to hide from self the things. Build strong discipline when you manipulate files! – Romeo Ninov – 2015-01-23T08:44:15.307

1Why to bother if OS can do it for me? – Nemo759 – 2015-01-23T08:53:29.300

1No OS can safe from human stupidity – Romeo Ninov – 2015-01-23T09:09:53.493

Don't be so sure but anyway let's get back on topic. – Nemo759 – 2015-01-23T09:12:38.903

There are few ways to do it. 1. Make backup offline and sync via network. 2. Make the folder and files system to get extra warning when deleted or altered – Romeo Ninov – 2015-01-23T09:39:30.800

1This only applies to currently saved files. Any file saved to the folder later on will not have the "read-only" attribute – Stevoisiak – 2017-06-29T16:20:16.967

@StevenVascellaro, check the OP question, he talk all the time about edit/delete existing files. So this solution will work – Romeo Ninov – 2017-06-29T16:45:51.907