How to make a folder read-only in Windows?
Solution 1
Original answer:
If it's NTFS, you can use the file system security feature.
Edit the folder's "security" tab, I'm assuming you didn't change them before: delete "authenticated users", it may warn you that you must disable inheritance first, do so in the "advance" option.
Make sure UAC is on.
Now when you try to edit/add/delete anything inside that folder, UAC will warn you, you can even set it to higher level that you must enter your password every time.
Edit: The above method is a fool-proof easy guide, which only apply to Windows Vista+ and require admin rights, and untempered file/folder security settings to start with.
However if you understand the principle behind, you can do this on nearly any Windows version with NTFS, on any user account.
Assume your normal working account is A, and another "safe" account is B, you can set the folder owner to B and give full privilege to it (don't forget to check "replace all child object permissions with inheritable permissions from this object"), then add account A as read-only, and now you can only write to it with account B, while still read/use it in the daily account A.
Without administrator rights, you cannot remove administrator from the access list, nor change the owner if it was administrator. But the method should work anyway, also if you create the folder, the owner should be default to you.
PS. All above are based on my experience, welcome to advice if you have better method.
Solution 2
Romeo is correct, you can make your individual files read-only that way through the properties, but you won't be able to protect it from deletion.
A further suggestion, if you'd like to quickly change multiple files to read only.
Open up a command prompt and enter the command attrib +r [path] taking advantage of the wildcard *
Solution 3
It's a single folder containing the files. Each time I make a change, I do "Save As" and increment the version number. However, sometimes I accidentally hit "Save" and overwrite my file – Steven Vascellaro
How to make files within a folder read only accessible
You can use ICACLS and explicitly deny the write attributes permission to all the files within a specific folder and prevent yourself (or any security group) from overwriting or modifying these files but still allow read access to open them.
Below is a batch script with environmental %userdomain%\%username% variables to define the current domain (or local machine name) and username signed onto the machine you execute the batch script as (i.e. <domain>\<username>) to deny the access to the account; this can easily be replaced with any valid domain security group name if needed as well (i.e. <domain>\<securitygroupname>).
Batch Script
Replace the value of the Folder= variable to be the full explicit folder path (or UNC path) to the location you need to make the existing files within read only accessible.
@ECHO ON
SET Folder=C:\Users\User\Desktop\Test
SET Security=%userdomain%\%username%
ICACLS "%Folder%\*" /deny "%Security%":(OI)(WA)
EXIT
If you look at the file ACL permissions, you will see the write attributes with an explicit deny now that applied to this folder and files.
Here's a folder with test documents with V1, V2, and so on which has already had be batch script run against.
If you try to save the file the save as dialogue will pop up, and if you try to overwrite the file that already exists with the same file name, you will get an access denied error message since that file is read-only accessible for this account.
You simply do a save as, give the file a different name but to the same folder which you locked down all the files to be read only accessible, and this is where you'd increment your number up by one or whatever.
Any newly saved files in this folder will now have the write attributes denied and thus these permission restrictions are applied to it effective immediately once the file with the new file name is saved to this folder.
Further Reading and Resources
-
/deny Sid:perm explicitly denies the specified user access rights. An explicit deny ACE is added for the stated permissions and the same permissions in any explicit grant are removed. WA - write attributes inheritance rights may precede either form and are applied only to directories: (OI) - object inherit
Related videos on Youtube
02 : 48
01 : 32
05 : 23
03 : 03
05 : 29
Nemo759
Updated on September 18, 2022Comments
-
Nemo759 almost 2 years
So I want to prevent myself writing into some files into folder. I always works with back_up folders in which I compare, transfer data to target projects. The problem is that sometimes on mistake I edit the Back-Up files. Is there any way I can deny the edit/write permission for myself? I don't want files to be renamed/deleted. Setting the folder read only flag is something that does absolutely nothing - after that I can edit/delete files with no problem again (at least in Win 8.1). This is very important for me - because for now I've corrupted many back_up files that way and this give me a lot of trouble. Any ideas?
I'm running latest version of Windows 8.1 x64.
-
Nemo759 over 9 years็However in this method I can still delete files.
-
Romeo Ninov over 9 yearsI am sorry, but you try to hide from self the things. Build strong discipline when you manipulate files! -
Nemo759 over 9 yearsWhy to bother if OS can do it for me?
-
Romeo Ninov over 9 yearsNo OS can safe from human stupidity
-
Nemo759 over 9 yearsDon't be so sure but anyway let's get back on topic.
-
Romeo Ninov over 9 yearsThere are few ways to do it. 1. Make backup offline and sync via network. 2. Make the folder and files system to get extra warning when deleted or altered
-
Stevoisiak almost 7 yearsWhat if we don't have administrator rights? -
Stevoisiak almost 7 yearsThis only applies to currently saved files. Any file saved to the folder later on will not have the "read-only" attribute
-
Romeo Ninov almost 7 years@StevenVascellaro, check the OP question, he talk all the time about edit/delete existing files. So this solution will work
-
Stevoisiak almost 7 yearsWill this need to be re-run any time I save a new version to the folder? If so, my current solution of occasionally re-marking the entire folder/subfolders as read-only seems to work equally well.
-
Stevoisiak almost 7 yearsI want to restrict the option of overwriting existing files, but I want to be able to save new files to the folder. Essentially, I want the files to become "read only" once they have been created. In hindsight, I think this may have been more appropriate as separate question...
-
I say Reinstate Monica almost 7 years@McDonald's There's no need to repeatedly apply this ACE to files as they're created. Instead, your answer could be made better by applying the DenyWrite AttributesACE to the Folder, but with theApply to: Files onlysetting. This would affect all current and future files and never require re-running the script to apply the ACE to individual files. -
I say Reinstate Monica almost 7 yearsThis is helpful, but it only affects existing files. The OP wants to have the read-only status apply to new files also.
-
I say Reinstate Monica almost 7 years@StevenVascellaro You're probably correct this should have been a separate question. The original question doesn't explicitly state that the OP wanted to be able to add files to his folder. In fact, his opening statement is "I want to prevent myself writing into some files into folder." What you and he are asking are solved differently, especially since it's impossible with NTFS to prevent BOTH creating AND renaming/deleting files.
-
I say Reinstate Monica almost 7 years@McDonald's Another way to improve your answer would be to have a script that periodically modified all existing files to add the
Deny DeleteACE. While there's no way to do this in advance via NTFS permissions set at the folder level, this would satisfy the request of not being able to delete/rename existing files. -
Vomit IT - Chunky Mess Style almost 7 years@StevenVascellaro As Twisty suggested, I've updated the answer to include the syntax to set the permission to apply only toThis folder and filesso now you only need to run the script once for it to work as expected. Big kudos to Twisty for spotting that and mentioning it. It was as simple as adding the(OI)to the script so my answer is updated accordingly. -
Stevoisiak almost 7 years@McDonald's The solution did not work, likely due to corporate-specific file permissions. However, I have realized my issue is outside this question's scope. I am awarding you the bounty as thanks for the significant effort you've shown towards helping me with my issue.