SG Windows IT Pro Group

Found that  NTFS cannot have deny delete rights and have rename rights at the same time.

Not sure if this can be done, to allow a user to rename a file but yet not allow the user to delete the file.

Anyone know aworkaround for this?

Deny rights always take precedence. But for your case, it's definitely possible. =) Just go to advanced security settings an work on more granular controls.

You might want to remove administrator ownership so as not to let them modify the permission.

thanks but it does not work.

apparently it seems that rename uses the delete function to delete the original and recreate the new file.

tried with modify permission allow but deny delete and a various mix and match but no avail.

wondering if there is any workaround this

I don't think you can do that.

In basis terms, copy, delete, rename, move requires write permission.

Read and Execute are another set of permissions.

"Deny" will over-ride any other permission. The moment you deny the "delete", it will be as what Bernard mention, the rest of the permission will not work.

So, if you want to test further, you may choose NOT to "Deny" the "Delete". What you can try instead is NOT to grant "modify" rights to the user and leave "Delete Subfolder and files" and "Delete" empty.

Then try again by applying different permission on "This Folder Only" follow by "SubFolders and Files Only". Give a try and hope you can achieve what you need.

Good Luck.

Thanks for all the input. checking out the web i found that it cannot be done. apparently it seems that for NTFS files sys, a rename seems to include delete operation, i read that it was a delete/create operation and thus delete right is needed. (MS server 2003 AD)

but let me describe the scenario i have.

A current user was having full access,  now due to some circumstances, he is not allowed to delete any files/folders . I want to implement such that he is not able to delete any files/folders but yet be able to rename any file ( i have no issues with create,write,excute,read functionality).

A very manual workaround i found is for the user to create the file he needs on desktop and then rename it before putting it in the network drive(which he does not have delete permission). or even a save as different file name (multiple versions of same file argh!!!) or get another user to rename (argh argh argh!!!) ...

but these workarounds can't do .... all process workaround, wonder if there is a technical solution :p

wonder if the user has to just live with it or i can make his life easier.  

There is always a way, but you will need to build/develop a shell for it.

* sweat* honestly that seems to be quite beyond my abilities.

Actually, a quick question.
Is there any reason why you want to prevent someone from deleting?

As in, is there a political reason?

There are 2 things u might want to look into. You can still allow that person to have delete rights.

1. Turn on file auditing so you know of someone has deleted a file through the event log. You can also setup a notification for this.
2. Turn on Shadow Copies. So that even if a file is deleted, it can be easily restored by the user.

yup its a mgt decision so you can say its to prevent some mischief

i have some space limitations so can't implement shadow copy

File auditing is a great idea, i'll implement this for the user.

i have backups in place so i tihnk together with file auditing, we can backtrack and recover if neccessary.

thanks for the advice! :D

Dennis is right, you could explore the possibility of coding an application to suit your requirements (my take, an ASP or a vb.net app + the right impersonation stuff should do the trick). Post this on the SGDOTNET forums where the evil developers lurk and they may be able to help you out. =)