Windows – In a “Full Control” folder, deny “rename & delete” on some specific subfolders

file-permissionsSecuritywindows

I have a folder 'Clients' where users can create & delete files and folders as they want.
I allowed the groups of users Read, Read&Execute, Modify & Write Permission.

I want to create in this folder a subfolder 'Invoices'.
Where the users can't rename or delete the 'Invoices' subfolder (other subfolders can be renamed or deleted by users).
Where the users are allowed to create, delete files & folders in the Invoices subfolder

Thanks for helping me

Grégoire

Best Answer

A handy lookup chart: http://technet.microsoft.com/en-us/library/cc787794%28WS.10%29.aspx

To do this you'll need to turn off inheritance on that one folder, and set a series of rights. This is all done under the 'advanced' tab for permissions, or from the command-line if you'd rather. Unfortunately, the commands change between WinXP and Vista/Win7.

If you want to just allow creating/deleting files in the Invoices sub-folder, but not modifying anything, and prevent delete/rename of the Invoices folder...

On the Invoices folder:

  • Block inheritance from parent folder
  • Set to "This object, sub-folders and files" (the default)
    • Traverse Folder / Execute File
    • List Folder / Read Data
    • Read Attributes
    • Read Extended Attributes
    • Read Permissions
  • Set to "Sub-Folders and Files Only"
    • Delete
    • Write Attributes
  • Set to "Sub-folders only"
    • Create Files / Write Data
    • Create Folders / Append Data

Change the Creater/Owner rights on Invoices (this will prevent owners of created files from changing things they shouldn't)

  • Traverse Folder / Execute File
  • List Folder / Read Data
  • Read Attributes
  • Read Extended Attributes
  • Read Permissions
  • Delete

Yes, this is complex, but it should do what you want.

Related Topic