Hello experts! OS: Windows 7 Prof I am having a strange problem. So, I am trying to revoke delete permission on a folder. This folder would have multiple sub folders and files. This is what I am doing at command prompt: icacls.exe "c:\Folder" /deny Administrators:D It is able to remove the Delete permission on that folder. But every time I try to access it by double clicking on it, it would error out "Permission Denied". Why is this so? Am I doing something wrong here? Apparently, someone had a similar problem and they posted it here http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/430f61ee-b278-4cfe-8697-f085f9842d00 Any ideas to get around it?

1. There is a trick with Scheduled tasks. Run the script as SYSTEM with elevated rights. 2. Double check the command sysntax with icacls /? Regards Milos

Hi, Actually /Deny:D does not deny read/Traverse permission on a folder, but it adds a "deny synchonization" permission on the folder. The Windows7 client uses SMB2, which seems to need this permission although you may not be actually accessing a share. This should be a bug. As a workaround, please use /deny:(DE) instead of /deny:D I have tested the /deny:(DE) command and it worked on my end. Hope my post is helpful to you. Regards, DennyPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, Actually /Deny:D does not deny read/Traverse permission on a folder, but it adds a "deny synchonization" permission on the folder. The Windows7 client uses SMB2, which seems to need this permission although you may not be actually accessing a share. This should be a bug. As a workaround, please use /deny:(DE) instead of /deny:D I have tested the /deny:(DE) command and it worked on my end. Hope my post is helpful to you. Regards, Denny Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Unfortunately, it did not work. The minute after I applied the deny, I was able to straight delete the folder. :/

Hi, The reason why you was able to delete the folder may be you have given the user Delete Subfolders and files" permission on the parent folder. I have tested the /deny:(DE) command on the child folder and it worked as i expected if i cleared the Delete Subfolders and files" entry on its parent. I was able to access the child folder without any error, also i could not delete it. So we can get a conclusion that if we just add Delete Subfolders and files" on a parent folder and do not give "Delete" permission on its childs, the user is still able to delelte the child folders straight, which may make us feel confused. Regards, Denny Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, The reason why you was able to delete the folder may be you have given the user Delete Subfolders and files" permission on the parent folder. I have tested the /deny:(DE) command on the child folder and it worked as i expected if i cleared the Delete Subfolders and files" entry on its parent. I was able to access the child folder without any error, also i could not delete it. So we can get a conclusion that if we just add Delete Subfolders and files" on a parent folder and do not give "Delete" permission on its childs, the user is still able to delelte the child folders straight, which may make us feel confused. Regards, Denny Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I struggled with this today. "D" is not Delete. It is a set of rights needed to Delete, used in the simple rights instead of advanced. "DE" is the single right for Delete. You have to remove the incorrect setting that icacls added before you can do it correctly. Here's what I have: icacls c:\whatever\folder\parent\child /deny *WD:(NP)(DE) Which denies the right to delete for World (everyone) for the child folder ONLY. But it doesn't work if you have the Delete Child right from the parent folder (which is normally true). So you also have to do this: icacls c:\whatever\folder\parent /deny *WD:(NP)(DC) Which denies the "Delete Child" right for World (everyone) for the parent folder ONLY.