I have a user account set up so that it can create folders/files, but it can NOT delete folders/files created by other users; however, they still can delete folders/files that they have created. I do not want them to be able to do this.
Is there a way I can disallow users from deleting things, even if they are the owner/creator?
Or, can I automatically change the owner of a folder/file to admin when it is created, therby blocking the general user account from being able to delete it?
Any ideas or suggestions?
Best Answer
The key is that users can delete a file if the file's ACL entitles them to delete it or the containing directory's ACL gives them the delete-child permission. You need to make sure that this limited user doesn't get either permission. On the special folder from which they shouldn't be able to delete files, assign them the following permissions in the Advanced Security Settings window:
But because this user is the owner of any files they create, they are entitled to change the permissions to allow deletion. The last piece of the puzzle is the arcane
OWNER RIGHTS
principal. You can type that phrase right into the user selection dialog where you would usually type the name of a user or group. Create one last rule on the folder that grants only "read permissions" on "subfolders and files only" toOWNER RIGHTS
. Then the only advantage of being the owner of a file in that folder is that it guarantees ability to see the ACL, but not to change it.