Disabling Delete Across AD Network

Posted on 2005-04-28
Last Modified: 2010-04-10
Hi Guys,

I am looking at removing the Delete permission from every folder on the network, and then implementing a Delete Permission for Domain Admins only. My main question is wheher this would be likely to have any effect on users. I am not sure if it would cause problems with any applications.

My aim here is to stamp out users calling our Helpdesk to say "Someone has deleted this folder and we need it back by tomorrow morning" and the folder is 5GB and the restore tapes wont be delivered for 2 hours and they tell you this at 4:30pm.
If we can stop them deleting the files and folders "Accidentally" then thats what I want to do.

Maybe another idea, crate a No Delete group in AD and at root level apply an Explicit Deny on Delete Permission.
Add users to this group and we can remove them if there is a need for them to have these permisssions.

Would either of these work for us?
If so which is best?
What problems could we run into?

Question by:unitedmp
    LVL 6

    Expert Comment

    Create a Security group and put all non-domain admins in it.   You can apply(link) a GPO that disables file deletion.

    Problems, user's won't be able to clean out their drives, or personal files, leading to a bloated environment.

    LVL 1

    Author Comment

    We are looking at implementing folder redirection anyway.

    We should be able to simply remove the explicit deny from the folder for their personal drive, U: which is network based and where the folder will redirect to.
    Is this correct, and will that resolve the issue?

    LVL 6

    Expert Comment

    yeah, you could do that.  At the least, you have to give everyone Read/list access to directories.
    LVL 1

    Author Comment

    If I do it that way, I would leave all current permissions as they are since an Expolicit Deny will override current permissions anyway.
    LVL 2

    Accepted Solution

    Try This:

    Create a new security group, add all of your users to that.
    Remove users who require delete access from the group.
    Add the group to the security tab at the root directory.
    Use advanced, edit, and DENY access to both the delete functions.
    Apply, then allow Modify.
    Apply this to the directory (will take a few hours).

    Now all you have to do is add new users to this group, and if someone requires permission to delete, remove them from the group.


    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Suggested Solutions

    Lets look at the default installation and configuration of FreeProxy 4.10 REQUIREMENTS 1. FreeProxy 4.10 Application - Can be downloaded here ( 2. Ensure that you disable the windows fi…
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now