Hi there, Has anybody found a good way to protect Junction Point itself on the Windows 2008 by accidentally delete/move/rename/etc.. operations? I tried to use ACL but that gave nothing. I don't want to protected the files and folders in the JP. regards Petri

hi there, can you verify if the below procedure worksunderAdvanced permissions on the target directory explicitly DenyDelete Subfolders and FilesDeletefor everyone.PS: In the Advanced Permissions make sure that you don't have a check mark on "Apply these permissions to objects and/or containers within this container only"please post back.sainath windows driver development.

Hello Petri, Thank you for posting here. When we use junction points, Windows Server 2008 automatically redirects for a junction point to the target folder. To protect junction points from inadvertent deletion, we can refer to Sainaths suggestion to take use of NTFS ACLs. If you just want to protect the junction point itself, please set the NTFS advanced permissions on the junction point folder to explicitly deny "Delete Subfolders and Files" and "Delete" on Everyone. For more reference: How to create and manipulate NTFS junction points http://support.microsoft.com/default.aspx/kb/205524 Hope this can be helpful for you.This posting is provided "AS IS" with no warranties, and confers no rights.

hipetri,did you got a chance to perform any of teh workaround / action plan suggested by us ?sainath windows driver development.

No, as I mentioned I tried the ACLs already (except I choose only Deny for everyone for Delete). Any other idea? regards Petri

Hello Petri, To my best of knowledge, controlling ACLs is the most efficient way to prevent the junction point from inadvertent deletion. I am sorry that I have no other idea. Based on the test on my side, we can prevent the junction point from be deleted via setting an explicit deny rule for Everyone with "delete subfolders and file". To help you resolve the issue, would you please have a chance to try the following steps to if it works on your side? 1. Click Advanced button in the properties of the Junction point "Mydesktop" 2. Clear the checkbox of "Allow inheritable permission from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here" 3. Add the deny permission for Everyone on the junction point "Mydesktop", Deny "Delete subfolders and files" and "Delete" 4. Test and verify that the junction point mydesktop cannot be deleted by accidentally with the above ACL control. Hope this can be helpful. This posting is provided "AS IS" with no warranties, and confers no rights.

Hello Petri,Id appreciate if you could drop me a note to let me know the status of the issue in the thread. If you have any questions or concerns, please feel free to let me know. I am happy to be of assistance. This posting is provided "AS IS" with no warranties, and confers no rights.

From a command line, you can use attrib. There is now a /L switch available. C:\>attrib /? Displays or changes file attributes. ATTRIB [+R | -R] [+A | -A ] [+S | -S] [+H | -H] [+I | -I] [drive:][path][filename] [/S [/D] [/L]] + Sets an attribute. - Clears an attribute. R Read-only file attribute. A Archive file attribute. S System file attribute. H Hidden file attribute. I Not content indexed file attribute. [drive:][path][filename] Specifies a file or files for attrib to process. /S Processes matching files in the current folder and all subfolders. /D Processes folders as well. /L Work on the attributes of the Symbolic Link versus the target of the Symbolic Link

My apology, I used incorrect term.....I'm actually working with mount points...if that change anything. I don't believe so, and I assume so because I started to test this with a normal folders and I do have similar problem. I like to protect single folder by accident delete operation. As I told, I don't want to protect the files and folder under this one folder. The idea is that I have folder structure: c:\Application Folder c:\Application Folder\Database (this is the mount point) c:\Application Folder\Database\Folder1\ (contains dynamic data) Because "Database" is the mount point I would like to protect that one only, but at the same time I don't want to stop ACL inherit as you asked on step 2 (Clear checkbox). By the way the UI ask what should to be done for ACLs on the higher level (copy, remove...). If I cut the inherit, the changes on the higher level are not affected to files and folders under "Database". Whe I can set "deny" to "this folder" only if that doesn't affect to anywhere. It works when I removes administrators from the ACLs. But not without it. Was there something about order how the ACLs are handled, at first inherited accesses and then not inherited? regards Petri

Hello Petri, Thanks for the reply. For your concern about order how the ACLs are handled, the NTFS system handle the advance ACLs in the order o f the Permission setting which shows in the Screenshot of Step2. As the Everyone Deny rule list in the first line, it will be executed first and take priority when there is conflict rule in the list. And then, the system will execute the rule Allow Administrators Full control. However, please note as the Everyone Deny rule has take effect, actually the Administrators cannot delete the mount point because administrators belongs to Everyone. To fulfill your demand, you may try the following solution c:\Application Folder c:\Application Folder\Database (this is the mount point) 1. Right-click on "c:\Application Folder" and select Properties. 2. Click Security tab and click Advanced button 3. Click Add to add a DENY rule to prevent incidentally deletion. Add Everyone in the ACE and in the drop down list of Apply onto, please select Apply onto: "This folder and Subfolders". In addition, deny the "Delete" and "Delete subfolders and files" permission. These settings can ensure that Everyone is denied to delete all subfolders, including the mount point Database on this level c:\Application Folder. 4. Right-Click on the "c:\Application Folder\Database" and create an allow rule.5. Please addan Allow rule to make Users have "Delete Subfolders and Files" and "Delete" permission, Apply onto: subfolders and files only. 6. Click Apply and OK. Hope it helps. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi David, But I don't want to deny delete from subfolders. I want to protect this single folder and in my mind there is security setting "This Folder". So do you know how to do it? -- Petri

Like David said.Open the properties page for the folder, click the Security tab and click the Advanced button (the one in the Security tab, not the one in the General tab).When theAdvanced SecuritySettingspage opens, click the Edit button (on the Permissions tab). This opens another Advanced SecuritySettingspage, where you can add or remove users and edit the specific permissions for any listed user. This is also where you can specify if the permissions apply to "This folder", "subfolders and files", or all. You can set Deny filters, in addition to Allow filters.Note: If you don't currently have the permissions to allow you to do what you want, you will have to sieze ownership, using the Edit button on the Owner tab.

If you are the member of administrators group and if you have created that folder (so you are the owner of the directory) and you set Everyone:Deny - This folder. Are you able to delete that folder? By some reason I'm, and I do not have any idea why I'm able to delete it. -- Petri

That would seem to be a bug.What if you also add Deny for Administrator, or remove delete permission for everyone?

Hi Preti, Thanks for the reply. Based on my test, we can delete a folder even if we have set the NTFS security setting with Everyone: Deny This folder only on it. I think this behavior is caused by FDC which is described in the following Microsoft Knowledge Base article: We suggest that you may read it for the detailed explanation of FDC permission: 152763SETUP: File Delete Child directory permission in NTFS http://support.microsoft.com/default.aspx?scid=kb;EN-US;152763 To workaround this FDC permission feature, you may try the suggestion as my previous reply. Security settings: C:\Application Folder Everyone: Deny "Delete" and "Delete subfolders and files" Apply onto: "This folder and Subfolders" C:\Application Folder\Database Everyone: Allow "Delete" and "Delete subfolders and files" Apply onto: "Subfolder and files only" By doing this, we should able to protect the mount point Database from being accidentally deleted. Meanwhile, Everyone can delete the subfolder and files under the mount point as you wish. We are deeply sorry for causing the inconvenience to you. If we have an update on this issue, we will let you know as soon as possible. Thanks for your understandings. This posting is provided "AS IS" with no warranties, and confers no rights.

Hello Preti,I want to see if the information provided was helpful. Please keep us posted on your progress and let us know if you have any additional questions or concerns.Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.