0

I am trying to deny all users from being able to delete a file. I'd like any user to be able to read or exeucute the file, but not modify or delete it. However, after I use the following code via the command prompt, no one can even access the file in the first place!

icacls pic.jpg /deny Everyone:(D)

I've tried variations of granting some permissions and denying others to no avail. How can I accomplish this (on Windows 7/8)?

TechDude
  • 111
  • 1
  • 3
  • 12

2 Answers2

3

To prevent deletion of a file, you need deny the Delete permission on the file and deny Delete Child permission (a.k.a. "Delete subfolders and files") on the containing folder. Both must not be allowed in order to truly prevent deletion.

In other words, Windows allows deleting a file if either or both of the permissions are granted.

So, suppose you are protecting foo\bar.txt from deletion, you should at least:

icacls foo\bar.txt /deny Everyone:(DE) *S-1-5-7:(DC)
icacls foo /deny Everyone:(DC) *S-1-5-7:(DC)

Note that I include S-1-5-7 (ANONYMOUS LOGON) within the deny list because anonymous logon is not included in Everyone group since Windows XP, and it's better to explicitly deny anonymous logon anyway.

EDIT: Be careful that in icacls the (D) permission is different from (DE). The former includes the Synchronize right while the latter is the Delete right alone. If you deny Synchronize right you might not be able to access (browse or CD to or DIR on) the folder.

Warning: icacls has a bug that files with (DE) right alone denied will show as (DENY)(D) instead of (DENY)(DE) upon query. Reported in 2 3. As mentioned above (D) and (DE) are different.

Explorer09
  • 569
  • 5
  • 9
2

To protect a file you must use:

icacls pic.jpg /deny Everyone:(DE)

to protect a folder with it's content use:

icacls pics /deny Everyone:(OI)(CI)(DE,DC)

D is an combination of different access rights, if you want to grant the right to delete files.

To get this language independent use *S-1-1-0 instead of Everyone.

(OI)= Object Inheritance (CI)= Container Inheritance

Thomas
  • 595
  • 6
  • 15
  • Thanks! I was going off of [this list[(http://ss64.com/nt/icacls.html) which did not include `DE`! I should have simply typed in `icacls` at command prompt to find this `DE` option. – TechDude Sep 09 '14 at 13:22
  • 1
    Don't worry, i've been there too a while ago. – Thomas Sep 09 '14 at 13:24
  • This isn't working for folders: `icacls pics /deny Everyone:(DE)` Is there a different option I'm suppose to use for a directory? – TechDude Sep 09 '14 at 13:28
  • 1
    try `icacsl pics /deny Everyone:(OI)(CI)(DE)`, so (DE) gets inherited by all contained objects and containers. – Thomas Sep 09 '14 at 13:29
  • Strangely, `icacls pics /deny Everyone:(OI)(CI)(DE)` protects neither the folder nor the content. I've also tried with the full directory path `C:\pics`, but in both cases I can still delete the folder and all files within it. – TechDude Sep 09 '14 at 13:35
  • I went ahead and [made a new question](https://stackoverflow.com/questions/25746550/icacls-deny-everyone-directory-delete-permission) for this folder issue. – TechDude Sep 09 '14 at 13:59
  • Not sure why. Is your account in the local admin group and do you have elevated your rights? – Thomas Sep 09 '14 at 14:01
  • Yes, I am trying this on my local Windows 7 computer as Administrator. – TechDude Sep 09 '14 at 14:04
  • 1
    I assume you cannot prevent a local admin to delete a file. I tried this locally on my machine. With my normal working account is works. When I'm using an elevated admin-account, I can delete the files as well. I think **FULL-Access"** overrides **DENY (DE)**, which you should expect from **FULL-Access**. – Thomas Sep 09 '14 at 14:11
  • That makes sense; however, although I can't recall particular files, I could have sworn I have previously come across system files that cannot be deleted even by an administrator (but maybe that was because they were in use?). – TechDude Sep 09 '14 at 14:18
  • 1
    Found it. Changed the answer. – Thomas Sep 09 '14 at 14:49