NTFS - allow a user to read, write and save an .xlsx file but not delete it or create new files and folders

file-permissions security microsoft-excel-2010 microsoft-office ntfs

7,908

On the folder (important: set the Applies to for the access rule to This folder only), make sure the user only has these permissions:

Traverse folder / execute file
List folder / read data
Read attributes
Read extended attributes

(If you're setting a deny entry, block these: Create files, Create folders, Write attributes, Write extended attributes, Delete subfolders and files, Delete, Change permissions, Take ownership.) On the file, deny these permissions for the user:

Delete
Change permissions
Take ownership

That arrangement produces the desired results for me on Windows 10. You can use the Effective Access tab of the folder and file to make sure that you don't have other rules interfering with these.

The user will then be able to read and write that file. The user will be unable to rename the file, create new files in that folder, or delete that file. Note that if the user has the "delete" permission on other files in that folder, it will be able to delete them.

Note, of course, that since the user can write to the file, it could just delete everything in it without deleting the file itself. If you don't trust this user, keep backups.

For Excel files specifically, this doesn't do the whole job. Office programs always save the document to a temporary file, delete the original, then rename the temporary one to the real one. You can kind of get around this by fiddling the Registry as instructed by this Microsoft article. Open this key in the user's account:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Common\General

For Office 2013, change 14.0 to 15.0. (It's 16.0 for Office 2016.) Create a new DWORD value called EnableSimpleCopyForSaveToUNC with the data of 1. You'll also have to change the permissions on the folder to let the user Create files / write data. (But since it's on the folder only, the user won't be able to mess with anything else in it, only create new files.) That will let the user save the Excel document, but sadly, the temporary file will stick around.

Would-be commenters might think that CREATOR OWNER permissions, hardlinks, or network shares might help with that, but no.

7,908

MithPaul

Updated on September 18, 2022

Comments

MithPaul over 1 year
I would like to allow a user to work with an already created Excel workbook -say A.xlsx- in a folder. It would be able to open, modify it and save it. It can not rename /delete it or other files nor create new files/folders in that folder.

How can I accomplish this? I have tried setting advanced permissions. In folder only I disabled
- Create files
- Create folders
- Delete subfolders and files
- Delete
and in A.xlsx I disabled
- Delete subfolders and files
- Delete
In this way I was succesful to disable deleting and creating new files/folders but when I want to save A.xlsx by overwriting it it says 'the file was not saved' like it does not have the permission in that directory.
- Bilo almost 8 years
  
  +1, modify is a permission including delete right, you can't exclude it. If you are afraid someone delete a file accidently, you should look for Shadow Copy: google.com.hk/…
- Ben N over 7 years
  
  @Ramhound Actually, you can set up this arrangement, though you have to adjust the permissions of the containing folder too. See my answer.
MithPaul over 7 years

Many thanks! I will try it in my job next Monday. In my case it is Windows 7 but It should be the same. I found that if the user was not given permission to delete the file, the file could not be overwrite.
Ben N over 7 years

@MithPaul It turns out that Excel makes things more difficult than I'd expected. (I only tested with a text file.) I amended my answer, but sadly there doesn't seem to be a way to remove the Excel temporary files from cluttering up the place.