Link to home
Start Free TrialLog in
Avatar of justinoleary911
justinoleary911Flag for United States of America

asked on

Windows shares with no delete

what permissions would i need to set on a windows share in server 2003 to allow users to do have rights to do everything except delete items.
Avatar of pjam
Flag of United States of America image

Try this Open Advanced in Security and select your users group and select Deny Delete as in jpeg attached
User generated image
Restrict them using NTFS permissions.

Right-click Properties -> Security tab -> Advanced -> select your users or security group -> Change Permissions -> Edit -> select Deny Delete

NTFS and Sharing permissions are cumulative with the most restrictive combination winning. So an explicit Deny will trump the Change permissions configured for Sharing.

I hope this helps.
Avatar of Brian Pierce
Be careful about using DENY - its safer simply to remove the ALLOW option for the specified group  - do not DENY Everyone/Users/Domain Users otherwise no-one will be able to delete.
Avatar of justinoleary911


ok just to calrify these permissions, under share permissions i could set full control to the security group, then under ntfs permissions I can have everything selected for allow except the delete permissions and then they can do anything except delete. right?  i attached some screen shots showing exactly what i have set up, you can ignore the everyone group having full control im going to remove that.
Never set full control for your security groups unless it is for the Administrator group. This allows the security group to change the permissions to whatever they like. Use Modify/Change instead.

Change for Sharing
Modify for NTFS

Other than that, you got it.
Beware however that Microsoft Office needs the delete right to edit files: When opening a document a new temporary document is created, and when saving the old document is deleted.
ok so your saying theres no such permissions to have the ability to edit office docs and not delete.  

the really specififc permissions i need im not sure how to set up.  we have a share called bids with 4 sub folders that are not shares just subfolders of bids.  I need to prohibit specific people from opening specific sub folders.  is this possible and if so, how?
No true.

I just tested that on my local server by creating a word doc by right clicking and New.

Opened the new document, wrote some text and saved without an issue.
ok can you delete the document?
Disregard. I forgot one deny. The other comment was correct.
ok i need some really specific share settings here.  I just had a user log into a share I set and they couldnt modify the folder name i gave them the right to modify while keeping the ntfs advanced permission of deny delete and deny delete subfolders.  And they could delete the folder still.  can anyone tell me the exact specific permissions to set for a user for share permissions and advanced NTFS permissions.   I need the user to be able to open the share and only have access to specific subfolders.  Then the subfolders they have access to, i need them to be able to create and modify documents and folders BUT not be able to delete anything.  Anyone please tell me what exact permissions to set.  thank you
Avatar of justinoleary911
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
IMHO "not possible" is also a valid and correct answer. Even if no points are given this question could be PAQ'ed..
this is not possible