Preventing non-admin users from deleting files in Windows 7
Solution 1
In Windows a file generally gets its ACL from the folder in which it is created. If the folder allows non-owners of files to delete them, then they can even if the owner is an administrator.
As you note you can change this for a file, a folder or a folder tree.
To change for all folders you need to first identify which folder trees you want to change (e.g. you shouldn't start changing permissions of C:\Users, C:\Windows, ... and other system folders).
Then for each of these you need to modify the ACL. This can be done in code or script (e.g. PowerShell), but needs more time to write up than I have now (if you just want to copy one ACL to another folder you can get-acl on the first and then set-acl on the other).
However I would suggest you consider why you want to do this. If a user needs to create files that only they can delete the best route is to create a folder, with specific ACL, for that purpose. Not to make some global change so the administrator doesn't have to think.
Solution 2
When you make a folder as admin it and its contents apply a default security level that gives accounts in the Users group read and execute but not delete. I would agree with Richards comment rather than defining explicit permissions I would define what you want to do and make sure that the other user accounts use the proper user group. If you have other user accounts and they are in the administrator group they will be able to access any folders if they drill down to the file system as admin. Even if you set explicit permissions to one user account a user in the admin group can take ownership and then make any changes they want. Only a more limited account will prevent that.
Related videos on Youtube
02 : 18
03 : 12
07 : 44
01 : 57
03 : 46
Comments
-
Donotalo almost 2 years
My OS is Windows 7 Ultimate. I've noticed that non-admin users of my PC can delete files that are created by admin user. How can I prevent non-admin users from deleting/modifying files NOT CREATED by that user?
I know how to use the Security tab of a file/folder's properties dialog box. Using that tab, only a single file/folder and its subfolders can be configured so that a particular user/group of user may not modify it. I'd like to know a way by which all non-admin users will be unable to modify files that are not created by them.
Thanks in advance.
-
Donotalo over 14 yearsI don't want users in Users group delete any file used explicitly by admins even accidentally. Or modify the folder hierarchy in any way.