3

I am trying to deny all users from being able to delete a folder (as well as its contents, if possible).

What I currently have is not working.

icacls pics /deny Everyone:(OI)(CI)(DE)

Using the above line neither protects the folder nor its content as I can still delete the folder and all files within it.

TechDude
  • 111
  • 1
  • 3
  • 12

2 Answers2

5

I think i found a solution:

icacls pics /deny Everyone:(OI)(CI)(DE,DC)

which denies the specific rights to delete (DE) and to delete childs (DC).

  • To get this language independent use *S-1-1-0 instead of Everyone. (see Well-Known SIDs)
  • You might still be able to remove the folder if it happens to be empty. If that's a problem, consider setting the read-only flag, e.g., attrib +r pics, and then denying (WA) so it can't be changed (credit to Harry Johnston)
Community
  • 1
  • 1
Thomas
  • 595
  • 6
  • 15
  • It really bugged me :) – Thomas Sep 09 '14 at 14:48
  • 1
    You might still be able to remove the folder if it happens to be empty. If that's a problem, consider setting the read-only flag, e.g., `attrib +r pics`, and then denying `(WA)` so it can't be changed. – Harry Johnston Sep 09 '14 at 22:54
  • Great, I want to know what this command actually do to the directory. I've tested this command, I found that after executing it, I'm able to add/create a subfolder or file but not able to rename it. – Jay Patel Sep 27 '18 at 13:00
1

To prevent deletion of a file, you need deny the Delete permission on the file and deny Delete Child permission (a.k.a. "Delete subfolders and files") on the containing folder. Both must not be allowed in order to truly prevent deletion.

In other words, Windows allows deleting a file if either or both of the permissions are granted.

The above part of the answer should be enough if you are permitted to change permissions of the containing folder, otherwise, there are tricks that can prevent your folder from being deleted (all experimented by me).

  1. You can create a (hidden) dummy file within the folder, and prevent deletion on that file (using access control again).
  2. All delete actions, whether through Windows Explorer GUI or DEL or RMDIR command, cannot delete a read-only file or folder directly, what the aforementioned commands do is to try removing the read-only attribute on the file before doing the delete operation. So setting read-only attribute on a folder while denying Write Attributes (WA) permission will effectively prevent the folder from being deleted.

Here is a batch script example of combining two tricks together:

ECHO.>"myfolder\dummy"
REM Technically R is sufficient to prevent deletion,
REM but it wouldn't hurt to add H and S attributes.
attrib +R +H +S "myfolder\dummy"
REM Deny permissions on dummy file.
REM Hint: S-1-1-0 means Everyone; S-1-5-7 means Anonymous Logon group
icacls "myfolder\dummy" /deny *S-1-1-0:^(DE,WA^) *S-1-5-7:^(DE,WA^)

REM Make folder read-only and deny permissions on it.
attrib +R "myfolder"
icacls "myfolder" /deny *S-1-1-0:^(DE,DC,WA^) *S-1-5-7:^(DE,DC,WA^)
Explorer09
  • 569
  • 5
  • 9