Reputation: 111
icacls Deny Everyone Directory Delete Permission
I am trying to deny all users from being able to delete a folder (as well as its contents, if possible).
What I currently have is not working.
icacls pics /deny Everyone:(OI)(CI)(DE)
Using the above line neither protects the folder nor its content as I can still delete the folder and all files within it.
Upvotes: 3
Views: 12919
Answers (2)
Reputation: 724
To prevent deletion of a file, you need deny the Delete permission on the file and deny Delete Child permission (a.k.a. "Delete subfolders and files") on the containing folder. Both must not be allowed in order to truly prevent deletion.
In other words, Windows allows deleting a file if either or both of the permissions are granted.
The above part of the answer should be enough if you are permitted to change permissions of the containing folder, otherwise, there are tricks that can prevent your folder from being deleted (all experimented by me).
- You can create a (hidden) dummy file within the folder, and prevent deletion on that file (using access control again).
- All delete actions, whether through Windows Explorer GUI or
DELorRMDIRcommand, cannot delete a read-only file or folder directly, what the aforementioned commands do is to try removing the read-only attribute on the file before doing the delete operation. So setting read-only attribute on a folder while denying Write Attributes (WA) permission will effectively prevent the folder from being deleted.
Here is a batch script example of combining two tricks together:
ECHO.>"myfolder\dummy"
REM Technically R is sufficient to prevent deletion,
REM but it wouldn't hurt to add H and S attributes.
attrib +R +H +S "myfolder\dummy"
REM Deny permissions on dummy file.
REM Hint: S-1-1-0 means Everyone; S-1-5-7 means Anonymous Logon group
icacls "myfolder\dummy" /deny *S-1-1-0:^(DE,WA^) *S-1-5-7:^(DE,WA^)
REM Make folder read-only and deny permissions on it.
attrib +R "myfolder"
icacls "myfolder" /deny *S-1-1-0:^(DE,DC,WA^) *S-1-5-7:^(DE,DC,WA^)
Upvotes: 1
Reputation: 605
I think i found a solution:
icacls pics /deny Everyone:(OI)(CI)(DE,DC)
which denies the specific rights to delete (DE) and to delete childs (DC).
- To get this language independent use
*S-1-1-0instead ofEveryone. (see Well-Known SIDs) - You might still be able to remove the folder if it happens to be empty. If that's a problem, consider setting the read-only flag, e.g.,
attrib +r pics, and then denying(WA)so it can't be changed (credit to Harry Johnston)
Upvotes: 5
Related Questions
- Needing ICACLS script to adjust persmission of a folder on a remote server
- Deny all folders permission from all users/administrators via CMD/Batch in Windows 7/8/10
- icacls Deny Delete for Everyone Not Working
- ACL Permission in Windows
- icacls replace permissions drive root
- How to use batch file to give a folder permission to the Everyone group
- icacls function not overwriting the previous directory permissions
- using icacls in batch file
- ICACLS behaving weird when executed from batch file
- How can I use batch commands to set the permissions of a directory to allow domain users full access