NTFS - Restrict file deletion
Volker Putt
i want to prohibit deletion of a file and set 'delete' permission to
deny but the file can be deleted anyway. I thought restrictions always
have higher priority than permissions?
How can it be done?
NTFS permissions are XP standard. User is admin. File is in folder. All
other permissions should remain untouched. Only one file should be
protected against deletion.
Shenan Stanley
User is admin? There is nothing you can do to protect the file from
deletion with file/folder perms that they cannot undo.
--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
PJG
"Shenan Stanley" wrote:
Have you tried to create another folder and user and setting non inheritable
permisions for folder and then setting admin permissions to not be able to
delete files. Then use the different user to delete if need be.
Leythos
> It is possible to lock Admin out of being able to delete files and
> folders.
>
You can NOT lock an administrator account out of anything - Admins have
the right to take ownership and then do anything they want.
--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam9...@rrohio.com (remove 999 for proper email address)
Shenan Stanley
> i want to prohibit deletion of a file and set 'delete' permission to
> deny but the file can be deleted anyway. I thought restrictions
> always have higher priority than permissions?
>
> How can it be done?
>
> NTFS permissions are XP standard. User is admin. File is in folder.
> All other permissions should remain untouched. Only one file should
> be protected against deletion.
Shenan Stanley wrote:
> User is admin? There is nothing you can do to protect the file from
> deletion with file/folder perms that they cannot undo.
Thee Chicago Wolf (MVP) wrote:
> It is possible to lock Admin out of being able to delete files and
> folders.
I had to search Google Groups to find this message (after seing a response
to it) - strange. Also - it seems this message from "Thee Chicago Wolf
(MVP)" is set for no archival... "Note: The author of this message
requested that it not be archived. This message will be removed from Groups
in 6 days (Mar 24, 7:55 am)."
However - all that being ponted out now - I must ask "Thee Chicago Wolf
(MVP)" how one can lock-down the ability of a computer administrator of a
workstation from erasing files/folders off said workstation and making it
stick (making it so the administrator of said workstation cannot get around
said restrictions?) I am genuinely curious, perhaps there is a method I do
not know about.
John
"Volker Putt" <n...@email.com> wrote in message
news:%23CbCa%23spJH...@TK2MSFTNGP05.phx.gbl...
> NTFS permissions are XP standard. User is admin. File is in folder. All
> other permissions should remain untouched. Only one file should be
> protected against deletion.
Post the file permissions in question.
I did a test on a file with the following permissions combo:
MACHINENAME\Administrator - Deny
MACHINENAME\Administrators - Allow Full Control
Notice the 's' - one of them is Administrators group and the other is user
Administrator.
I'm logged on as MACHINENAME\Administrator. I can delete the above test
file. Yeah, that seems to contradict with the fact that Deny has higher
precedence.
If I remove Administrators group, I'm unable to delete the test file. Keep
in mind that nothing stops an Administrator from changing file/folder
permissions.
Volker Putt
want to restrict software.
It seems right that folder permissions have higher priority than the
files inside them no matter if denied or granted. Weird thing is that if
you remove the permissions from the file inside completely this case
doesn't seem valid anymore. You cannot delete the file even though its
defined in the parent folder.
Shenan Stanley
> i want to prohibit deletion of a file and set 'delete' permission to
> deny but the file can be deleted anyway. I thought restrictions
> always have higher priority than permissions?
>
> How can it be done?
>
> NTFS permissions are XP standard. User is admin. File is in folder.
> All other permissions should remain untouched. Only one file should
> be protected against deletion.
Shenan Stanley wrote:
> User is admin? There is nothing you can do to protect the file from
> deletion with file/folder perms that they cannot undo.
Thee Chicago Wolf (MVP) wrote:
> It is possible to lock Admin out of being able to delete files and
> folders.
Shenan Stanley wrote:
> I had to search Google Groups to find this message (after seing a
> response to it) - strange. Also - it seems this message from "Thee
> Chicago Wolf (MVP)" is set for no archival... "Note: The author of
> this message requested that it not be archived. This message will
> be removed from Groups in 6 days (Mar 24, 7:55 am)."
>
> http://groups.google.com/group/microsoft.public.windowsxp.general/browse_frm/thread/e7b6faa891cb5050/43cfcde4bfedaf12
>
> However - all that being ponted out now - I must ask "Thee Chicago
> Wolf (MVP)" how one can lock-down the ability of a computer
> administrator of a workstation from erasing files/folders off said
> workstation and making it stick (making it so the administrator of
> said workstation cannot get around said restrictions?) I am
> genuinely curious, perhaps there is a method I do not know about.
Thee Chicago Wolf (MVP) wrote:
> Yup, it's called X-No-Archive.
> Well, let's not inject what the OP didn't ask to do.
> The OP wanted to know if it was possible to lick out
> the Admin from deleting a file or folder. And yes,
> It can be done.
> 1. Log in as the Admin. 2. Create a folder, let's just do it on C:\ and
> call
> it Test 3. Right click it, do Properties, then Advanced,
> click the Security Tab (you did disable Simple File
> Sharing, right? ;-)), click Advanced again, uncheck
> "Inherit from Parent...", click Remove, click Apply, click Yes, click OK
> twice.
>
> See if you can delete the folder, Admin. See if you
> can Shift+Delete the folder. Nope, you can't.
>
> How about some more fun?
>
> 1. Right click the Test folder, do Properties, then
> Advanced, click the Security Tab, click Advanced again,
> check on "Inherit from Parent...", click Apply, click
> Yes, click OK twice. All the original inherited
> permissions are back so Admin has full control again, right? 2. Copy a
> couple of small files into the folder.
> 3. Right-click all the files, do Properties, then Advanced,
> click the Security Tab, click Advanced again, uncheck
> "Inherit from Parent...", click Remove, click Apply, click
> Yes, click OK twice.
>
> Can you delete them? Nope. But ah-ha, you CAN shift+delete
> them because the folder's inheritance will trump whatever
> the file permissions have been set to unless you *explicitly*
> deny inheritance for the Administrator to delete files and
> folders.
>
> So yes, something you apparently don't know about. ;-)
I know what "X - No - Archive" is, I just never understood why someone
giving a valid answer would ever bother to do this.
Your answer assumes that the person asking and those who might utilize the
computer cannot learn and cannot regain the rights easily - given in the
original post that they are admins. I knew about the fact that you can
assume users cannot figure things out - it's just bad advice. ;-)
Shenan Stanley
Shenan Stanley wrote:
> I know what "X - No - Archive" is, I just never understood why
> someone giving a valid answer would ever bother to do this.
>
> Your answer assumes that the person asking and those who might
> utilize the computer cannot learn and cannot regain the rights
> easily - given in the original post that they are admins. I knew
> about the fact that you can assume users cannot figure things out -
> it's just bad advice. ;-)
Thee Chicago Wolf (MVP) wrote:
> It's because I use an nntp client, not a web
> browser (or Outlook?), that has this capability.
>
> The OP didn't ask that so injecting conjecture
> is patently irrelevant. You didn't believe an Admin could be locked out,
> I showed you they could be. The likelihood of an
> average user figuring out permission inheritance
> lockout is about as likely as Bubbles the Monkey
> to understand string theory. And he's DEAD!
> Obviously, an Admin can reverse this. A user with
> Admin rights can too *if* they know how. I never
> set out to prove that it was impervious to reverse
> engineering. A really savvy Admin would hide the
> security tab so it COULDN'T be reverse engineered
> via GUI but then...there is the command line. And
> that can be taken away as well. ;-)
>
> Sorry bruv, you got pwnd on this one. Sour grapes.
So because you *can* use "X - No - Archive", you do it?
Check how often the 'average user' comes to these newsgroups to ask about
"access denied" messages and how to get around them and how often they are
pointed to the proper Microsoft KB telling them how to do it.
The definition of 'average user' has changed over time - since people are
now raised throughout their childhood and throughout their careers in many
cases with computers as a normal part of their lives. Google and other
Internet search engines also levels the playing field somewhat.
You gave an half-a$$ed answer, that's just how I see it..
Oh well; you tried to prove something to me and did - unfortunately - it
wasn't likely what you intended to prove. ;-)
You'll likely "X - No - Archive" your response for whatever reason - so - I
doubt I will ever see a response. I don't plan on checking this again - as
the fact is still the same from the beginning... An administrator of a
workstation cannot stop other administrators on the same machine from
undoing whatever they do to the file/folder permissions. Whether or not the
OP asked about it or even knew about it - perhaps it was wiser to point it
out to them.
In any case - everyone does what they want/how they want - and if everyone
agreed, whatever the subject might be, the subject would likely never be
discussed again. ;-)