• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 362
  • Last Modified:

Restrict domain users from deleting a shared file or folder

Hello, everybody!
Recentlly we had an incident with involuntary deleting of 800MB from MS Server 2003 by a domain user. We have a drive with NTFS which is shared for domain users and they should be able to create, read, write, modify files and folders, but not deleting them. I have tried with deny a file or folder delete through security tab, but then users can't modify. My idea was to deny only deleting of files, and if some user nonaccidentally wants to delete a file or folder - just to rename it with 4 zeros infront. Then in the end of the day an automatic script will run which will search files and folders with 4 zeros begining and delete them. Yes but NO, denying a file delete automaticaly deny file rename.
Please give me an advise how to prevent domain users from accidentaly deleting files from this drive, and in the same time to have all file/folder functionality.
10x a lot in advance!
1 Solution
Hi mi6o,
you can deny deleting files and allow modify but at the same time you will be denied to rename them (rename = delete)

from the security tab click on "Advanced" button, chose the user, click edit, and then change the "delete" permision.

Thanks & Best Regards
before everythin you have to think follwing option with NTFS permision

1) this going to do folder level or file level
2) users can add and file but cannot detete ?
3) allowing to owner to delete file or owner also cannot delete  ? but i recomend owner can delete file.

before configure this setup , test it with another normal XP workstation (with NFTS)
will assume administrator have full control

create a folder as "test 1" on  xp

folder properties >security >advanced >untick " inhirit from the perent ..." > click copy  > next remove all user and group except administrators ,domain users (if domain user not avliable then add domain users)

domain user does not have full control of modify control

above system only owner can delete  document ( but others cannot  modify).

 but i think modifiy permission need for all domain users.(otherwise sharing concept will not effect)

using "speacial permision" you  you can finish you request
click advanced  tab select  domain users > edit  >  tick  deny   "delete subfolder and file "

to check this system for users you can use "effective permision"

NTFS permision  little bit complex but you can ask question


Make sure Creater Owner does not have delete ability just modify.  
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now