Yeah, I am responding to an old post.
"Delete
subfolders and files" guarantees you the ability to delete sub-files/folders even if you do not have the delete permission.
It is a complicated question/thread.
You can use an explicit "deny" on "this folder only" for "delete". What this nets you is if a person tries to take direct action on that folder, it will fail. However,
if they take action on one of the folders ancestors (higher in the folder tree), you will get varied results depending on the copy/move rules configured on the computer taking the action. By default, a move within the same volume on an ancestor will
still work because the action is being taken on the folders ancestor, and not the actual file/folder the deny is set on. If the move action is taken on an ancestor between volumes, it will move some subset of files until the move operation actually
tries to move the folder configured with a deny, and then an error will be thrown when the operation attempts to delete the original file after it is copied. This may result in some of the content being moved to the new location, and some of the content
being left in the source location. In short, you can make some configuration choices that will help, for example you can configure a delete inhibit on a root level folders, but protecting folders further down the folder tree is a choice you will need
to evaluate because the net result can be confusing both to the end user and the administrator.
BUT... if the volume grants "Delete subfolders and files" to the administrators, which is part of the default rights for "Full Control", then when an administrator attempts a move between
volumes, it will work because the the volume level rights guaranteed the delete operation, and thus the move is successful.
In essence, even root level folders are subject to accidental moves by a quick clicking administrator.
In a similar manner, a move between volumes will succeed if the person performing the operation has "full control" or "delete subfolders
and files" on an ancestor. This is one of the reasons not to grant "Full Control" when assigning NTFS rights to end users.
To complicate this even further, you may see varying results from NAS units and other "Simulated" Windows servers if they interpret the owner of a folder as an implicit "full control".
Like I said, the question and answer is more complicated than it appears. As with any answer posted on the Internet, the previous statements may be inaccurate or
completely false, so test test test.
-
Edited by
IdahoAnalyst
1 hour 43 minutes ago