question

star8163264-7859 avatar image
0 Votes"
star8163264-7859 asked cooldadtx answered

Deny Delete Permissions and Retain At Least Read Permissions as Admin

I have seen multiple questions and answers regarding denying delete permissions to users, but none of them seem to be working from me. I am logged in to my personal Windows 10 PC as an admin user. There are some files I want to stop myself from deleting by accident. I tried denying delete permissions to Everyone, but that doesn't work. So I tried testing permissions on a random file I copied to see if I could figure it out. If I remove all permissions that exist and start fresh on a file, and just deny delete permissions, it's fine and I am not allowed to delete. But once I add any read-related permissions, I can now delete the file. I don't know why giving read permissions would allow me to delete. Is there a solution for this where I can still read?


windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

cooldadtx avatar image
1 Vote"
cooldadtx answered

The owner of an item always has rights to do what they want. If you create something then you're the owner. Administrators can always take ownership of an item and therefore admins can always do whatever they want as well.

Deletion requires 1 of 2 permissions - delete permission on the file or delete subtree permission on the folder(s) containing the file. If either of these are true then you can delete the file. Read and other permissions do not influence this.

Example 1:
You have a folder F that you created. As the owner you have delete subtree permission on it + any inherited permissions.
You create a file A in that folder and then explicitly give yourself deny delete permissions.
You can still delete the file because you have delete subtree permissions on the parent.
You can confirm this using the Effective Access UI in Windows Explorer on the folder and then the file.

Example 2:
You create a new folder G under F.
You disable inheritance and copy all the permissions from the parent folder F to G.
You remove the delete subtree rights from your user account (plus the Administrators group).
You create a file A in the subfolder G and then explicitly deny delete permissions to your user account.
You cannot delete the file because your user account is denied that permission AND your account and the group(s) you are a member of do not have the delete subtree right.
You can open the file for reading because you have read rights.
You can open the file and edit it because you have write rights.
You get an error if you try to delete the file because you have been denied rights.
Again, you can confirm this using the Effective Access UI in Windows Explorer.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.