NTFS - Restrict file deletion

[Volker Putt]

Hi,
i want to prohibit deletion of a file and set 'delete' permission to
deny but the file can be deleted anyway. I thought restrictions always
have higher priority than permissions?

How can it be done?

NTFS permissions are XP standard. User is admin. File is in folder. All
other permissions should remain untouched. Only one file should be
protected against deletion.

 

[Shenan Stanley]

i want to prohibit deletion of a file and set 'delete' permission to
deny but the file can be deleted anyway. I thought restrictions
always have higher priority than permissions?

How can it be done?

NTFS permissions are XP standard. User is admin. File is in folder.
All other permissions should remain untouched. Only one file should
be protected against deletion.

User is admin? There is nothing you can do to protect the file from
deletion with file/folder perms that they cannot undo.

 

[PJG]

User is admin? There is nothing you can do to protect the file from
deletion with file/folder perms that they cannot undo.

Have you tried to create another folder and user and setting non inheritable
permisions for folder and then setting admin permissions to not be able to
delete files. Then use the different user to delete if need be.

 

[Thee Chicago Wolf (MVP)]

User is admin? There is nothing you can do to protect the file from

deletion with file/folder perms that they cannot undo.

It is possible to lock Admin out of being able to delete files and
folders.

- Thee Chicago Wolf (MVP)

 

[Leythos]

It is possible to lock Admin out of being able to delete files and
folders.

You can NOT lock an administrator account out of anything - Admins have
the right to take ownership and then do anything they want.

 

[Shenan Stanley]

i want to prohibit deletion of a file and set 'delete' permission to
deny but the file can be deleted anyway. I thought restrictions
always have higher priority than permissions?

How can it be done?

NTFS permissions are XP standard. User is admin. File is in folder.
All other permissions should remain untouched. Only one file should
be protected against deletion.

User is admin? There is nothing you can do to protect the file from
deletion with file/folder perms that they cannot undo.

It is possible to lock Admin out of being able to delete files and
folders.

I had to search Google Groups to find this message (after seing a response
to it) - strange. Also - it seems this message from "Thee Chicago Wolf
(MVP)" is set for no archival... "Note: The author of this message
requested that it not be archived. This message will be removed from Groups
in 6 days (Mar 24, 7:55 am)."

http://groups.google.com/group/micr..._frm/thread/e7b6faa891cb5050/43cfcde4bfedaf12

However - all that being ponted out now - I must ask "Thee Chicago Wolf
(MVP)" how one can lock-down the ability of a computer administrator of a
workstation from erasing files/folders off said workstation and making it
stick (making it so the administrator of said workstation cannot get around
said restrictions?) I am genuinely curious, perhaps there is a method I do
not know about.

 

[John]

NTFS permissions are XP standard. User is admin. File is in folder. All
other permissions should remain untouched. Only one file should be
protected against deletion.

Post the file permissions in question.

I did a test on a file with the following permissions combo:
MACHINENAME\Administrator - Deny
MACHINENAME\Administrators - Allow Full Control

Notice the 's' - one of them is Administrators group and the other is user
Administrator.

I'm logged on as MACHINENAME\Administrator. I can delete the above test
file. Yeah, that seems to contradict with the fact that Deny has higher
precedence.

If I remove Administrators group, I'm unable to delete the test file. Keep
in mind that nothing stops an Administrator from changing file/folder
permissions.

 

[Thee Chicago Wolf (MVP)]

It is possible to lock Admin out of being able to delete files and

I had to search Google Groups to find this message (after seing a response
to it) - strange. Also - it seems this message from "Thee Chicago Wolf
(MVP)" is set for no archival... "Note: The author of this message
requested that it not be archived. This message will be removed from Groups
in 6 days (Mar 24, 7:55 am)."

Yup, it's called X-No-Archive.

http://groups.google.com/group/micr..._frm/thread/e7b6faa891cb5050/43cfcde4bfedaf12

However - all that being ponted out now - I must ask "Thee Chicago Wolf
(MVP)" how one can lock-down the ability of a computer administrator of a
workstation from erasing files/folders off said workstation and making it
stick (making it so the administrator of said workstation cannot get around
said restrictions?) I am genuinely curious, perhaps there is a method I do
not know about.

Well, let's not inject what the OP didn't ask to do. The OP wanted to
know if it was possible to lick out the Admin from deleting a file or
folder. And yes, It can be done.

1. Log in as the Admin.
2. Create a folder, let's just do it on C:\ and call it Test
3. Right click it, do Properties, then Advanced, click the Security
Tab (you did disable Simple File Sharing, right? ;-)), click Advanced
again, uncheck "Inherit from Parent...", click Remove, click Apply,
click Yes, click OK twice.

See if you can delete the folder, Admin. See if you can Shift+Delete
the folder. Nope, you can't.

How about some more fun?

1. Right click the Test folder, do Properties, then Advanced, click
the Security Tab, click Advanced again, check on "Inherit from
Parent...", click Apply, click Yes, click OK twice. All the original
inherited permissions are back so Admin has full control again, right?
2. Copy a couple of small files into the folder.
3. Right-click all the files, do Properties, then Advanced, click the
Security Tab, click Advanced again, uncheck "Inherit from Parent...",
click Remove, click Apply, click Yes, click OK twice.

Can you delete them? Nope. But ah-ha, you CAN shift+delete them
because the folder's inheritance will trump whatever the file
permissions have been set to unless you *explicitly* deny inheritance
for the Administrator to delete files and folders.

So yes, something you apparently don't know about. ;-)

- Thee Chicago Wolf (MVP)

 

[Volker Putt]

I'm aware of admin permissions but i do not want to restrict the user. I
want to restrict software.

It seems right that folder permissions have higher priority than the
files inside them no matter if denied or granted. Weird thing is that if
you remove the permissions from the file inside completely this case
doesn't seem valid anymore. You cannot delete the file even though its
defined in the parent folder.

 

[Thee Chicago Wolf (MVP)]

I'm aware of admin permissions but i do not want to restrict the user. I

want to restrict software.

It seems right that folder permissions have higher priority than the
files inside them no matter if denied or granted. Weird thing is that if
you remove the permissions from the file inside completely this case
doesn't seem valid anymore. You cannot delete the file even though its
defined in the parent folder.

If you want to restrict software, you'd have to use group policies or
be in a domain where someone like an Enterprise admin account would
have to block a local admin account from doing what you're trying to
do. That's way beyond the scope of this group.

- Thee Chicago Wolf (MVP)

 

[Shenan Stanley]

i want to prohibit deletion of a file and set 'delete' permission to
deny but the file can be deleted anyway. I thought restrictions
always have higher priority than permissions?

How can it be done?

NTFS permissions are XP standard. User is admin. File is in folder.
All other permissions should remain untouched. Only one file should
be protected against deletion.

User is admin? There is nothing you can do to protect the file from
deletion with file/folder perms that they cannot undo.

It is possible to lock Admin out of being able to delete files and
folders.

I had to search Google Groups to find this message (after seing a
response to it) - strange. Also - it seems this message from "Thee
Chicago Wolf (MVP)" is set for no archival... "Note: The author of
this message requested that it not be archived. This message will
be removed from Groups in 6 days (Mar 24, 7:55 am)."

http://groups.google.com/group/micr..._frm/thread/e7b6faa891cb5050/43cfcde4bfedaf12

However - all that being ponted out now - I must ask "Thee Chicago
Wolf (MVP)" how one can lock-down the ability of a computer
administrator of a workstation from erasing files/folders off said
workstation and making it stick (making it so the administrator of
said workstation cannot get around said restrictions?) I am
genuinely curious, perhaps there is a method I do not know about.

Yup, it's called X-No-Archive.
Well, let's not inject what the OP didn't ask to do.
The OP wanted to know if it was possible to lick out
the Admin from deleting a file or folder. And yes,
It can be done.
1. Log in as the Admin. 2. Create a folder, let's just do it on C:\ and
call
it Test 3. Right click it, do Properties, then Advanced,
click the Security Tab (you did disable Simple File
Sharing, right? ;-)), click Advanced again, uncheck
"Inherit from Parent...", click Remove, click Apply, click Yes, click OK
twice.

See if you can delete the folder, Admin. See if you
can Shift+Delete the folder. Nope, you can't.

How about some more fun?

1. Right click the Test folder, do Properties, then
Advanced, click the Security Tab, click Advanced again,
check on "Inherit from Parent...", click Apply, click
Yes, click OK twice. All the original inherited
permissions are back so Admin has full control again, right? 2. Copy a
couple of small files into the folder.
3. Right-click all the files, do Properties, then Advanced,
click the Security Tab, click Advanced again, uncheck
"Inherit from Parent...", click Remove, click Apply, click
Yes, click OK twice.

Can you delete them? Nope. But ah-ha, you CAN shift+delete
them because the folder's inheritance will trump whatever
the file permissions have been set to unless you *explicitly*
deny inheritance for the Administrator to delete files and
folders.

So yes, something you apparently don't know about. ;-)

I know what "X - No - Archive" is, I just never understood why someone
giving a valid answer would ever bother to do this.

Your answer assumes that the person asking and those who might utilize the
computer cannot learn and cannot regain the rights easily - given in the
original post that they are admins. I knew about the fact that you can
assume users cannot figure things out - it's just bad advice. ;-)

 

[Thee Chicago Wolf (MVP)]

I know what "X - No - Archive" is, I just never understood why someone

giving a valid answer would ever bother to do this.

It's because I use an nntp client, not a web browser (or Outlook?),
that has this capability.

Your answer assumes that the person asking and those who might utilize the
computer cannot learn and cannot regain the rights easily - given in the
original post that they are admins. I knew about the fact that you can
assume users cannot figure things out - it's just bad advice. ;-)

The OP didn't ask that so injecting conjecture is patently irrelevant.
You didn't believe an Admin could be locked out, I showed you they
could be. The likelihood of an average user figuring out permission
inheritance lockout is about as likely as Bubbles the Monkey to
understand string theory. And he's DEAD!

Obviously, an Admin can reverse this. A user with Admin rights can too
*if* they know how. I never set out to prove that it was impervious to
reverse engineering. A really savvy Admin would hide the security tab
so it COULDN'T be reverse engineered via GUI but then...there is the
command line. And that can be taken away as well. ;-)

Sorry bruv, you got pwnd on this one. Sour grapes.

- Thee Chicago Wolf (MVP)

 

[Shenan Stanley]

i want to prohibit deletion of a file and set 'delete' permission to
deny but the file can be deleted anyway. I thought restrictions
always have higher priority than permissions?

How can it be done?

NTFS permissions are XP standard. User is admin. File is in folder.
All other permissions should remain untouched. Only one file should
be protected against deletion.

User is admin? There is nothing you can do to protect the file from
deletion with file/folder perms that they cannot undo.

It is possible to lock Admin out of being able to delete files and
folders.

I had to search Google Groups to find this message (after seing a
response to it) - strange. Also - it seems this message from "Thee
Chicago Wolf (MVP)" is set for no archival... "Note: The author of
this message requested that it not be archived. This message will
be removed from Groups in 6 days (Mar 24, 7:55 am)."

http://groups.google.com/group/micr..._frm/thread/e7b6faa891cb5050/43cfcde4bfedaf12

However - all that being ponted out now - I must ask "Thee Chicago
Wolf (MVP)" how one can lock-down the ability of a computer
administrator of a workstation from erasing files/folders off said
workstation and making it stick (making it so the administrator of
said workstation cannot get around said restrictions?) I am
genuinely curious, perhaps there is a method I do not know about.

Yup, it's called X-No-Archive.
Well, let's not inject what the OP didn't ask to do.
The OP wanted to know if it was possible to lick out
the Admin from deleting a file or folder. And yes,
It can be done.
1. Log in as the Admin. 2. Create a folder, let's just do it on C:\ and
call
it Test 3. Right click it, do Properties, then Advanced,
click the Security Tab (you did disable Simple File
Sharing, right? ;-)), click Advanced again, uncheck
"Inherit from Parent...", click Remove, click Apply, click Yes, click OK
twice.

See if you can delete the folder, Admin. See if you
can Shift+Delete the folder. Nope, you can't.

How about some more fun?

1. Right click the Test folder, do Properties, then
Advanced, click the Security Tab, click Advanced again,
check on "Inherit from Parent...", click Apply, click
Yes, click OK twice. All the original inherited
permissions are back so Admin has full control again, right? 2. Copy a
couple of small files into the folder.
3. Right-click all the files, do Properties, then Advanced,
click the Security Tab, click Advanced again, uncheck
"Inherit from Parent...", click Remove, click Apply, click
Yes, click OK twice.

Can you delete them? Nope. But ah-ha, you CAN shift+delete
them because the folder's inheritance will trump whatever
the file permissions have been set to unless you *explicitly*
deny inheritance for the Administrator to delete files and
folders.

So yes, something you apparently don't know about. ;-)

I know what "X - No - Archive" is, I just never understood why
someone giving a valid answer would ever bother to do this.

Your answer assumes that the person asking and those who might
utilize the computer cannot learn and cannot regain the rights
easily - given in the original post that they are admins. I knew
about the fact that you can assume users cannot figure things out -
it's just bad advice. ;-)

It's because I use an nntp client, not a web
browser (or Outlook?), that has this capability.

The OP didn't ask that so injecting conjecture
is patently irrelevant. You didn't believe an Admin could be locked out,
I showed you they could be. The likelihood of an
average user figuring out permission inheritance
lockout is about as likely as Bubbles the Monkey
to understand string theory. And he's DEAD!
Obviously, an Admin can reverse this. A user with
Admin rights can too *if* they know how. I never
set out to prove that it was impervious to reverse
engineering. A really savvy Admin would hide the
security tab so it COULDN'T be reverse engineered
via GUI but then...there is the command line. And
that can be taken away as well. ;-)

Sorry bruv, you got pwnd on this one. Sour grapes.

So because you *can* use "X - No - Archive", you do it?

Check how often the 'average user' comes to these newsgroups to ask about
"access denied" messages and how to get around them and how often they are
pointed to the proper Microsoft KB telling them how to do it.

The definition of 'average user' has changed over time - since people are
now raised throughout their childhood and throughout their careers in many
cases with computers as a normal part of their lives. Google and other
Internet search engines also levels the playing field somewhat.

You gave an half-a$$ed answer, that's just how I see it..

Oh well; you tried to prove something to me and did - unfortunately - it
wasn't likely what you intended to prove. ;-)

You'll likely "X - No - Archive" your response for whatever reason - so - I
doubt I will ever see a response. I don't plan on checking this again - as
the fact is still the same from the beginning... An administrator of a
workstation cannot stop other administrators on the same machine from
undoing whatever they do to the file/folder permissions. Whether or not the
OP asked about it or even knew about it - perhaps it was wiser to point it
out to them.

In any case - everyone does what they want/how they want - and if everyone
agreed, whatever the subject might be, the subject would likely never be
discussed again. ;-)

 

[Thee Chicago Wolf (MVP)]

You can NOT lock an administrator account out of anything - Admins have

the right to take ownership and then do anything they want.

Even after holding Shenan's hand on how to do it? Really? Wow, talk
about denial.

- Thee Chicago Wolf (MVP)