Windows – Setting Deny Permissions with ICACLS on “This Folder”

icaclsntfspermissionswindows

ICACLS "{PATH}" /DENY "{AD Group}:(D)"

I want to deny the ability for {AD Group} to delete the parent folder but still have permissions to delete child folder and files. However, when I set the DENY Delete on the parent, it prevents Traverse Folder access to the folder.

I read that this is a synchronize error but if I set (D,S) I can traverse the folder but I can also delete it.

Currently ACL_FILE_IST is the only permission on the folder.

Has anyone seen a workaround?

ICACL COMMANDS

ICACLS "C:\TEMP\TestPermissions" /GRANT "ACL_FILE_IST:(OI)(CI)(M)"
ICACLS "C:\TEMP\TestPermissions" /DENY "ACL_FILE_IST:(D)"

ICACLS ACL

testpermissions

D:PAI(D;;0x110000;;;S-1-5-21-964777865-1556211951-2005962405-8309)(A;OICI;0x1301bf;;;S-1-5-21-964777865-1556211951-2005962405-8309)

Best Answer

For anyone else who finds this 6.5 year old post, this is what fixed things for me - https://devblogs.microsoft.com/oldnewthing/20191118-00/?p=103110 - using OP's original command, you would use ICACLS "{PATH}" /DENY "{AD Group}:(DE)" - simply add DE instead of D, which as the article points out, has a bug or glitch in it where it removes synchronize as well as delete. Annoying, but an easy fix.

Related Solutions

Windows – “This folder only” permission propagating

This is standard behavior. It will add the permissions you set to those folders, but marks them as child permissions.

Go to a subfolder, and check its permissions, and you'll notice those permissions are greyed out (child permissions).

If you want to have the child objects not have these permissions, you'll have to edit the first child folder and correct the permissions.

Usually a network system administrator will suggest to have a subfolder with no childs created and apply the new rights to that folder, then move the files that should have these rights there. This way, any subfolder will have the same rights and you don't worry about child objects not having different access rights.

Because if you deny a user to enter this directory, and you allow that user child directories, they will not be able to get there unless they manually enter that address. Only a person who knows that directory exists and how to manually get there will have access, something not many do. (which is why security settings are set to all child folders when changed, because it usually needs to have those permissions all the way down to the last child folder.

Windows – Prevent folder from being deleted/moved/renamed in Windows

As a rule of thumb, you should avoid explicit DENY rules in ACLs. If one is required, it is often because the data is already structured wrong.

The ability to delete or rename a folder is not decided by the Delete permissions on the folder in question, but by the Delete subfolders and files permission on the parent folder. This is counter-intuitive and different from how permissions for a file work. It definitely doesn't work as you would expect.

Let's use the following folder / file structure as an example:

FolderA
    File1
    FolderB
        File2
        FolderC
            File3

FolderB and File1 are in parent FolderA. FolderC and File2 are in parent FolderB and so on.

Now, if we remove the Delete permission from File1, File2, or File3, for any user, that user will be prevented from renaming and deleting the file. This is also true if you use an explicit DENY Delete on the file.

However, if you remove the Delete permission from FolderA, FolderB, or FolderC, for any user, that user will still be able to rename and delete the folder. This is also true if you use an explicit DENY Delete on the folder.

Why is that? Because the Delete permission is a permission that applies to files, not folders. Instead, we must remove the Delete subfolders and files permission from the parent folder to accomplish what you are asking.

In our above example, we will need to remove the Delete subfolders and files permission from FolderA, for a particular user, assigning the permission to this folder only. In that case, the user will then be unable to modify FolderB and File1. The same is true if you use an explicit DENY Delete subfolders and files on FolderA instead.

The user can still rename and delete FolderA unless the parent of FolderA has also restricted that permission. As long as you applied the permission to this folder only then the user will continue to be able to read/write/modify File2, FolderC and File3.

The obvious drawback here is that it takes 2 levels of folders to accomplish what you are asking. In your case, you mention that you are trying to protect a Dropbox folder. So, your folder structure would have to look like this:

Dropbox
    Protected Folders
        File1
        File2
        FolderA
    Protected Files

You would remove, for a particular user or group, the Delete subfolders and files permission for this folder only on the Dropbox folder. You would then add or maintain, for a particular user or group, Full Control or Modify permissions for subfolders and files on the Dropbox folder.

Now the affected user will be unable to modify any files or folders immediately below the Dropbox folder, but will be able to modify all files and folders contained in any subfolders.

There is an additional concern here with Dropbox, because this is not a normal folder. The Dropbox application expects full control of the Dropbox folder. Being that Dropbox often runs as the logged on user, you can't prevent the logged on user from having full control of the Dropbox folder. You can try it, but the results may be unpredictable and chaos is likely to ensue.

Best Answer

Related Solutions

Windows – “This folder only” permission propagating

Windows – Prevent folder from being deleted/moved/renamed in Windows

Related Question