NTFS – Prevent Directory Deletion in a Personal Folder


I have a directory shared via CIFS from a Windows 7 "server". No domain: just simple workgroup.

My clients access this directory via LAN via "Standard User" (no "Administrator") accounts on the server. They use this share for "personal storage", so they need full create/edit/delete on everything inside it.

The problem is: I server-side create a directory there. This single item shouldn't be editable in any way, just readable/browsable/listable (let's focus on the directory itself, not on the file within (there aren't any, sometimes)).

I'm working with NTFS permissions: I removed inherit from the must-not-delete-directory, so I can work on its permissions.

I removed the client account and, at this stage, only SYSTEM, Administrators and myself are present with theirs permissions. At this stage, clients can neither delete, nor open the folder.

If I add a Deny "full control" rule, nothing changes (as expected).

But if I modify that rule and allow just "List folder / read data", while keeping all the others on Deny… user can delete the folder!?!?!?

how is that possible? what am I misunderstanding?

Note: I double checked with a single file, not a directory: same problem!

This is Icacls output:


Successfully processed 1 files; Failed processing 0 files

Best Answer

OK. I can confirm that a user can delete a file (or remove an empty directory) without having write access to that file/directory if they have Delete Child access to the parent directory. If I was aware of this before, I had forgotten about it, but it is documented behaviour, e.g., see KB101651.

There are (at least) three ways to solve your problem:

  • Give the users Modify access instead of Full Control access to the parent directory. The only differences between Full Control and Modify are the Delete Child right (allowing the user to delete child objects) and the Write DAC right (allowing the user to change the permissions on the object, even if they are not the owner).

  • Set the permissions on the share to Modify instead of Full. This should have the same effect, but will only affect network users, not interactive users. One side-effect is that the users cannot change permissions, even on their own files.

  • Set the read-only flag on the child file/directory. The documentation is unclear on this point, but my testing (Windows 7) indicates that Delete Child does not allow you to delete files or remove directories with the read-only flag set. It also does not allow you to reset the read-only flag. Note that the Explorer GUI implies that the read-only flag has no effect on directories; in fact it prevents the directory from being removed. (It does not prevent new files from being written to the directory.) Addendum: the read-only flag does not prevent a directory from being moved.

Other notes:

  • You could explicitly deny the Delete Child right to the parent directory, but if the user has Full Control to the parent directory they could remove the deny entry.

  • Having Delete Child right on the parent directory does not allow users to delete files from the child directory or to remove the child directory unless it is empty. Addendum: it does allow users to move the child directory.

Related Question