I am trying to deny all users from being able to delete a file. I'd like any user to be able to read or exeucute the file, but not modify or delete it. However, after I use the following code via the command prompt, no one can even access the file in the first place!
icacls pic.jpg /deny Everyone:(D)
I've tried variations of granting some permissions and denying others to no avail. How can I accomplish this (on Windows 7/8)?
On
To prevent deletion of a file, you need deny the Delete permission on the file and deny Delete Child permission (a.k.a. "Delete subfolders and files") on the containing folder. Both must not be allowed in order to truly prevent deletion.
In other words, Windows allows deleting a file if either or both of the permissions are granted.
So, suppose you are protecting foo\bar.txt from deletion, you should at least:
icacls foo\bar.txt /deny Everyone:(DE) *S-1-5-7:(DC)
icacls foo /deny Everyone:(DC) *S-1-5-7:(DC)
Note that I include S-1-5-7 (ANONYMOUS LOGON) within the deny list because anonymous logon is not included in Everyone group since Windows XP, and it's better to explicitly deny anonymous logon anyway.
EDIT: Be careful that in icacls the (D) permission is different from (DE). The former includes the Synchronize right while the latter is the Delete right alone. If you deny Synchronize right you might not be able to access (browse or CD to or DIR on) the folder.
Warning: icacls has a bug that files with (DE) right alone denied will show as (DENY)(D) instead of (DENY)(DE) upon query. Reported in 2 3. As mentioned above (D) and (DE)
are different.
To protect a file you must use:
to protect a folder with it's content use:
D is an combination of different access rights, if you want to grant the right to delete files.
To get this language independent use
*S-1-1-0instead ofEveryone.(OI)= Object Inheritance(CI)= Container Inheritance