icacls Deny Everyone Directory Delete Permission

TechDude picture TechDude · Sep 9, 2014 · Viewed 10.3k times · Source

I am trying to deny all users from being able to delete a folder (as well as its contents, if possible).

What I currently have is not working.

icacls pics /deny Everyone:(OI)(CI)(DE)

Using the above line neither protects the folder nor its content as I can still delete the folder and all files within it.

Answer

Thomas picture Thomas · Sep 9, 2014

I think i found a solution:

icacls pics /deny Everyone:(OI)(CI)(DE,DC)

which denies the specific rights to delete (DE) and to delete childs (DC).

  • To get this language independent use *S-1-1-0 instead of Everyone. (see Well-Known SIDs)
  • You might still be able to remove the folder if it happens to be empty. If that's a problem, consider setting the read-only flag, e.g., attrib +r pics, and then denying (WA) so it can't be changed (credit to Harry Johnston)