Windows 2003 Server - Deny Deletion of
Disclaimer: Do to the complex nature of Windows
Server permissions these instructions are to be used at your own rish. It is up to you to fully test
everything out prior to applying these kinds of permission rules in a production system.
Griffin Computers cannot and will not assume any responsibility or liability for undesirable results when
following this tutorial.
Back to Tech Tips Index Page
REASON FOR PUBLISHING THIS
One question I keep getting asked over and
over again deals with Windows 2003 server user permissions. How do you stop regular logged in users from
deleting top level folders in a network share?
If you Google this you will find many threads where folks are asking this simple and basic question, unfortunately
most of the published articles on how to accomplish this seems to be complicated and really does not explain things
fully. Things are complicated, but by fully explaining things and including pictures of where to go and what
to do, this will assist you.
My goal here is to provide a simple tutorial on how to accomplish the above question on how to
block regular users from deleting top level adminstrative created folders within a network share. Ok, so
lets start off with logging into your Windows 2003 server with an administration account. If you are running
active directory you can also log in as Domain Admins.
For this tutorial I am using the following scenario for demonstration purposes:
You want a top level network share called "UserSharedFolders".
Under this top level network share you want 3 top level folders called; AdminForms, CustomerDocs,
You do not want regular users to be able by accident to delete, drag and drop or rename these three top
level folders. These you create as static top level folders for your users as the system
You do want your regular users to be able to create new folders, delete folders, rename folders, create
and modify files and delete any files inside of these top level folders.
So lets get going . . .
First you need to create a regular user account called "RegUser". Making sure this is
only a regular user account "non-admin". Create your RegUser account now. For the purposes of this
tutorial assign a password of "12345678" and set the account to never expire and the user cannot change the
Ok, now let create a folder on your server's drive. See picture below where I just created
a folder called "UserSharedFolders".
Next lets share it our in the normal fashion. Right click on the UserSharedFolders and
select Properties. Now click the Sharing tab and you will be looking at the picture below.
On the above Properties window click on Share this folder.
So below is what the Properties window looks like after clicking on Share this folder.
Now click Apply and then click OK.
After this has been done when you look at your folder in Windows Explorer the icon on the folder
will have been changed showing a hand under the folder to denote this as a network shared folder.
See picture below.
Ok, now right click on the UserSharedFolder and select the Properties option and then click on
the Security tab. You should be looking at a picture as shown below.
Now on the above Properties screen we are going to make some changes. You need to click the Add button and
first off if you are running active directory add in the Domain Admins account here and check off full
control. This ensures if you are logged in as Domain Admins under AD you have full contorl of this network
In my example case here I am not running AD so I will not be adding in the Domain Admins account as it does not
exit on my Windows 2003 server.
However, I will be adding in the RegUser account I previously created here. So click on the Add button and
add in your RegUser account.
Below you can see this same screen after I have added in the RegUser account.
Do not change any permissions here for the RegUser account as the default permissions are just fine.
Please note that in my example I am using one regular user account, but what you add in on the Properties window
above could be a regular user group containing several regular user accounts.
Now click Apply and then click OK.
Now on this same Properties window click the Sharing tab and click the Permissions button.
The following screen will pop up.
On the above Share Permission screen above select the Everyone group and click the Remove button to delete
it. Then click on the Add button and add in your RegUser account. Once your RegUser account has
been added on the same screen above click and Allow Change and Read so they are both checked off.
The Permissions screen should now look like the screen as shown below.
Click OK and OK again.
Now at this point the only account that has access into this share point on the LAN is the RegUser account.
If more that one account or group needs LAN access into this share you would go ahead and add in any additional
users or groups here and allow them Change or Read permissions or both.
Fine tuning permission options can be set here. Lets say you had one group that needs access to do things
such as create new files and folders you would Allow what you see above. If you had a secondary group that
you only wanted to have Read access, "that is they cannot change anything" only provide this group Read
You could as well here add in a few other administration accounts to this share point if you wanted to such as
Adminstrators, System, Domain Admins if running active directory and Allow these accounts Full Control.
Next right click the UserSharedFolders again and select the Security tab as shown below.
On the above Properites window above click on the Advanced button and the following screen will pop up.
We are not going to make any security setting changes here, I only brought you here so you can in fact see that
your RegUser account has been added into the Permissions on this network share and has only Read & Execute
Just click OK to close this window and click OK again to close the main Properties window.
Now we are going to double click on the UserSharedFolders folder and move into it. Here
are are now going to create our three top level folders; AdminForms, CustomerDocs and TrainingDocs.
So once these are created you should be looking at the following three top level folders inside
of your UserSharedFolders network share.
Ok, now we are going to test things out to see what the final result of our work has done.
We can use the NET USE command temporarily for this purpose. Below is my NET USE
command to map to our newly created UserShareFolders network share. This you can create using Notepad and
save to a .bat or .cmd file so you can run the NET USE over and over again for testing purposes. In the
example below I am mapping a U:/ drive to the new network share.
NET USE U: /DELETE
NET USE U: \\DELLWEBS-001\UserSharedFolders 12345678 /User:reguser
Notice above how I and using UNC \\MyServerName\ShareName to target the new network
share. The next paramater is the RegUser's password of 12345678 and finally /User:reguser.
This manually does the drive mapping for me on a workstation "not the server", to provide a test
environment to simulate a login by the RegUser account.
After running the NET USE commands in a .cmd file or .bat file if I now look in
Windows Explorer I will see the share as shown below with my top level folders being displayed.
Ok, now try to delete any one of the above top level folders inside of your new network share. .
Here is what you get . . .
Try to rename one of the folders or drag and drop one of the top level folders into one of
the other folders and you get the same Folder Access Denied message.
If logged in as RegUser move inside the AdminForms folder I can create a new folder called Pete,
see picture below.
I can now also create a file inside of the top level folder AdminForms or create a file inside
of a sub folder inside of the folder "Pete".
I can at this level delete folders, rename folders, create files, delete files, rename both
folders and files, etc. by the user RegUser. This will hold true for the two other top level
This can be fine tuned even more by right clicking on sub-folders and individually setting
special permissions to Deny things at any folder level you wish. Please know that the Deny permission
always over rules any Allow permissions. So the most restrictive security policies always applies.
A Bit More Advanced Permissions
So lets take this basic tutorial just
a bit further so you can see how more advanced permissions can work for you. Currently you will find that the
logged in RegUser can create top level folders within the UserSharedFolders network share, but you do not want them
to be able to do this here; you only want them allowed to create folders and files within the top level
folders of AdminForms, CustomerDocs and TrainingDocs.
So here is what you do to block this . . .
Logged in as administrator on the server navigate to your UserSharedFolders network share and right click on
it. This brings up the properties windows shown again below.
Click on the Security tab and then the Advanced button. This brings up the following
Above I have navigated down to hi-light my RegUser account. Then click the Edit button and the following
screen will appear.
Notice above I have selected in the Apply onto: drop downbox to apply changes to this folder only.
Notice I have checked off Deny to Create Folders / Append Data, checked off Deny to Create Files / Write Data,
Deny to Change Permissions and Deny to Take Ownership. You really do not need to Deny the Delete option, but
I did so anyways.
After checking of what to Deny click OK and this window will disappear and you will be again looking at
the Advanced Security Setting window and you should see the following.
Notice the is now a Deny permission setting for the RegUser account that will stop the logged in
RegUser from creating things within the UserSharedFolders network share or doing other things that you set for
Deny. Click Apply and OK to close this window.
So that pretty much does it folks for a Windows 2003 server. To summarize you now have a
network share called UserSharedFolders and inside this network share three top level folders. If a regular
user logs in, he/she can not do anything at the top level folder location, but can navigate downward inside any one
of the three top level folders and do what ever he/she wishes. You could go to any lower sub-folder
locations and make and adjust finer permissions by user or groups to fine tune things.
This tutorial is a very simplist example of how permissions work. In a full network
production environment I may have far more permissions that I set at various levels within a network share folder
hierarchy, I am just providing you the very basics here. Also in a active directory environment the same
things basically apply, but you are probably dealing with AD user groups instead of one regular user account
that I used in this tutorial for demonstration purposes. You are probably under AD going to write a script to
be launched from the Netlogon folder to apply any required mappings for active directory users
and groups on the doman controller.
One of the things that I find confuses new network administrators is what permissions to set at
the Security tab location versus what permissions to set at the Share permission level. You have to
think of these two as working together to provide permission granularity. The Security tab holds the actual
NTFS hard drive folder and files permissions and what users or groups can do at this level. The Share
permission levels allow what user of groups in the LAN have access into the network share. So you do need to
consider permissions at both of these locations and adjust to obtain your end desired result. In the example
case as explained above, after I got all the Security tab permissions in order, I then went to the Share permission
screen and deleted the Everyone group . . as I do not want everyone having access to the Share. I added
in here my RegUser account so only my RegUser has access from the LAN into this share point.
Very important new network administrators setup something like shown above in a non-production environment and play
with the various permission settings at both the NTFS level and the Share level until they understand what does
Back to Tech
Tips Index Page