Deny deletion of a folder

[Netmasker]

On my Windows 2000 workstations I want my users to have the following access
on a specific folder e.g. named "test" (This folder has no subfolders and
files yet but the permissions will also concern the future ones):

Administrators: Full Control (ok that's easy)

Authenticated Users will:
- have Read & Execute permissions on the folder
- have Full Control on future subfolders and files
- not be able to delete or rename the foler "test"

Can this be done with the command "cacls" ? How can I deny deletion of a
folder with "cacls" ??

If "cacls" can not be used can any one spend one minute and tell me how can
I achieve this using NTFS permissions ???

p.s. I understand everything about special permissions and inheritance in
the advanced tab etc. but dening deletion of the folder "test" itself does
not work even if I set this in the advanced tab:
"Apply onto: This folder only - Deny - Delete". Despite this setting my
users CAN delete the folder "test"! What am I doing wrong?

Thanks in advance

 

[Steven L Umbach]

On the main security page give administrators full control and users
read/list/execute. The go into advanced permissions page. Select add, select the
users group, in apply onto select subfolders and files only, then check allow for all
permissions. Hit OK and you should have the permissions you want. -- Steve

 

[Netmasker]

Thanks Steven but I have done this many times and it doesn't work. Please
spend a minute to TRY IT YOURSELF (and anyone else) and you will see that IT
DOES NOT WORK. 'Users' are able to delete the foler "test" and they can't
create any subfolders and files in it!!! It does not seem logic but that is
the case!
I think that the problem is that there are no subfolders and files created
yet inside the folder "test".
Please TRY IT before proposing something else.

Any other help is appreciated

 

[Steven L Umbach]

I have done it numerous times before, but I apologize because I see my recommendation
was wrong. I just need to modify my recommendation by saying that users will need
read/list/execute/write permissions on the main security page. They must have write
permissions to the folder to be able to create subfolders/files, but that will not
allow them to delete the main folder you refer to as test [assuming a regular user is
not owner also]. After you set it up double check the advanced permissions to make
sure that delete is not selected for users for any special permission that includes
"folder". Also make sure your test user is only a member of the users group. I did
just test my recommendation again by creating a folder while logged on as
administrator with the said permissions. When I logged on as a regular user I was
able to create/delete subfolders and files but not delete the root folder where I set
permissions. Keep in mind that with ntfs permissions an explicit allow overrides and
inherited deny. --- Steve

 

[Netmasker]

I have figured out the problem but not the solution!

The problem is that my folder "test" IS UNDER THE ROOT DIRECTORY (C:\) and
even the 'explicit deny deletion' of the folder "test" does not work for the
'users' (and of course I DO NOT "Allow inheritable permissions from parent
to propagate to the this object").

But if I set the exactly same permissions to a subfolder of the folder
"test" then I take the desired result!!!

I have to mention that the permissions on my root directory (c:\) are set to
"Everyone-Full Control", but why does this affect the folders inside the
root directory when I do not allow inheritance ???

Please try it yourself and you will see this strange behavior of NTFS
permissions...

 

[Greenseed]

Hi! I tryed it at home! on my c:\ root with a dir name test... and
same for me, i was unable to deny delete permission of \test folder ..
only if i give read permission! stange! if i only give deny write on
folder it work! and on my root i only have Administrator, system and
service that can use my drive at all...

i tryed in advance tab! but unable! to comply!...

i search for my probleme! and found it! it because i test id with user
administrator... and administrator have owner on the files! and maybe
win2k! let me delete it cause of that!

anyway... in my mind this is not right! when i set permission to deny
delete.. it must do it! in anyway! if you remove inheritable!


Greenseed

 

[Steven L Umbach]

It should not. Make sure you logoff and back on computer before testing changes. I
did create a folder under the root and had no problem denying access to regular users
to delete the "main" folder. My root folder however has the everyone group removed
and users have read/list/execute permissions. I have emailed you a screenshot of my
test folder permissions. --- Steve

I have figured out the problem but not the solution!

The problem is that my folder "test" IS UNDER THE ROOT DIRECTORY (C:\) and
even the 'explicit deny deletion' of the folder "test" does not work for the
'users' (and of course I DO NOT "Allow inheritable permissions from parent
to propagate to the this object").

But if I set the exactly same permissions to a subfolder of the folder
"test" then I take the desired result!!!

I have to mention that the permissions on my root directory (c:\) are set to
"Everyone-Full Control", but why does this affect the folders inside the
root directory when I do not allow inheritance ???

Please try it yourself and you will see this strange behavior of NTFS
permissions...

I have done it numerous times before, but I apologize because I see my recommendation
was wrong. I just need to modify my recommendation by saying that users will need
read/list/execute/write permissions on the main security page. They must have write
permissions to the folder to be able to create subfolders/files, but that will not
allow them to delete the main folder you refer to as test [assuming a regular user is
not owner also]. After you set it up double check the advanced permissions to make
sure that delete is not selected for users for any special permission that includes
"folder". Also make sure your test user is only a member of the users group. I did
just test my recommendation again by creating a folder while logged on as
administrator with the said permissions. When I logged on as a regular user I was
able to create/delete subfolders and files but not delete the root folder where I set
permissions. Keep in mind that with ntfs permissions an explicit allow overrides and
inherited deny. --- Steve

 

[Steven L Umbach]

I realized after posting that I was on my XP computer. So I went into the
basement where the W2K Server boxes are and set one up with everything
exactly as you described and lo and behold I experienced the same thing on
the W2K computer as you described. With the everyone group having full
permissions to the root folder and NO permisions [not even listed] at all on
a subfolder, a user with only read/list/execute/write ntfs permissions to
the subfolder of the root could delete it. I would classify that as a "bug".
If I changed the everyone group to read/list/execute on the root folder,
then a regular user could no longer delete the subfolder. If you can live
with the everone group having no more than read/list/execute/write
permissions on the root folder, then you should be able to implement your
folder structure as needed. This was a new one for me - as I said I always
remove or give the everyone no more than read/list execute. --- Steve

It should not. Make sure you logoff and back on computer before testing changes. I
did create a folder under the root and had no problem denying access to regular users
to delete the "main" folder. My root folder however has the everyone group removed
and users have read/list/execute permissions. I have emailed you a screenshot of my
test folder permissions. --- Steve

I have figured out the problem but not the solution!

The problem is that my folder "test" IS UNDER THE ROOT DIRECTORY (C:\) and
even the 'explicit deny deletion' of the folder "test" does not work for the
'users' (and of course I DO NOT "Allow inheritable permissions from parent
to propagate to the this object").

But if I set the exactly same permissions to a subfolder of the folder
"test" then I take the desired result!!!

I have to mention that the permissions on my root directory (c:\) are set to
"Everyone-Full Control", but why does this affect the folders inside the
root directory when I do not allow inheritance ???

Please try it yourself and you will see this strange behavior of NTFS
permissions...

I have done it numerous times before, but I apologize because I see my recommendation
was wrong. I just need to modify my recommendation by saying that

users
will need

read/list/execute/write permissions on the main security page. They

must
have write

permissions to the folder to be able to create subfolders/files, but

that
will not

allow them to delete the main folder you refer to as test [assuming a regular user is
not owner also]. After you set it up double check the advanced

permissions
to make

sure that delete is not selected for users for any special permission

that
includes

"folder". Also make sure your test user is only a member of the users group. I did
just test my recommendation again by creating a folder while logged on as
administrator with the said permissions. When I logged on as a regular user I was
able to create/delete subfolders and files but not delete the root

folder
where I set

permissions. Keep in mind that with ntfs permissions an explicit

allow
overrides and

inherited deny. --- Steve