1. 技术文章
  2. icacls Deny Everyone Directory Delete Permission

icacls Deny Everyone Directory Delete Permission

房东的猫 提交于 2019-12-11 03:48:56

问题


I am trying to deny all users from being able to delete a folder (as well as its contents, if possible).

What I currently have is not working.

icacls pics /deny Everyone:(OI)(CI)(DE)

Using the above line neither protects the folder nor its content as I can still delete the folder and all files within it.


回答1:


I think i found a solution:

icacls pics /deny Everyone:(OI)(CI)(DE,DC)

which denies the specific rights to delete (DE) and to delete childs (DC).

  • To get this language independent use *S-1-1-0 instead of Everyone. (see Well-Known SIDs)
  • You might still be able to remove the folder if it happens to be empty. If that's a problem, consider setting the read-only flag, e.g., attrib +r pics, and then denying (WA) so it can't be changed (credit to Harry Johnston)



回答2:


To prevent deletion of a file, you need deny the Delete permission on the file and deny Delete Child permission (a.k.a. "Delete subfolders and files") on the containing folder. Both must not be allowed in order to truly prevent deletion.

In other words, Windows allows deleting a file if either or both of the permissions are granted.

The above part of the answer should be enough if you are permitted to change permissions of the containing folder, otherwise, there are tricks that can prevent your folder from being deleted (all experimented by me).

  1. You can create a (hidden) dummy file within the folder, and prevent deletion on that file (using access control again).
  2. All delete actions, whether through Windows Explorer GUI or DEL or RMDIR command, cannot delete a read-only file or folder directly, what the aforementioned commands do is to try removing the read-only attribute on the file before doing the delete operation. So setting read-only attribute on a folder while denying Write Attributes (WA) permission will effectively prevent the folder from being deleted.

Here is a batch script example of combining two tricks together:

ECHO.>"myfolder\dummy"
REM Technically R is sufficient to prevent deletion,
REM but it wouldn't hurt to add H and S attributes.
attrib +R +H +S "myfolder\dummy"
REM Deny permissions on dummy file.
REM Hint: S-1-1-0 means Everyone; S-1-5-7 means Anonymous Logon group
icacls "myfolder\dummy" /deny *S-1-1-0:^(DE,WA^) *S-1-5-7:^(DE,WA^)

REM Make folder read-only and deny permissions on it.
attrib +R "myfolder"
icacls "myfolder" /deny *S-1-1-0:^(DE,DC,WA^) *S-1-5-7:^(DE,DC,WA^)


来源:https://stackoverflow.com/questions/25746550/icacls-deny-everyone-directory-delete-permission

标签
batch-file
windows-8
permissions
cacls
icacls
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!