Remove delete permission for active directory group in Microsoft 2008 Server R2

windows-server-2008 active-directory group-policy
7,593

Although this is not a particularly good approach, to do it this way, you'd be concerned with the Delete and Delete subfolders and files permissions. (Advanced options in the Security tab, if using the GUI.)

Probably the easiest way would be to Deny those permissions on your volume roots, to the group in question. Make sure you also prevent the group in question from having Change permissions or Take ownership rights, or they'll be able to grant themselves those permissions back. (Also make sure to apply the permissions all the way down - Apply to: This folder, subfolder and files - and catch the files and directories where the permissions are unable to be applied.)

Of course, as mentioned in the comments, Deny ACEs can cause some issues, so this is probably not the best approach to whatever it is you're trying to accomplish. People you can't trust to not delete stuff shouldn't be on the server in the first place. I'd probably just give them read only permissions to whatever directory tree they needed, rather than going through the extra effort of allowing full access to the server and then customizing advanced permissions options.

enter image description here

Share:
7,593

Related videos on Youtube

Flea
Author by

Flea

Updated on September 18, 2022

Comments

  • Flea
    Flea over 1 year

    I've created a group in Active Directory and I would like to prevent all users in this group from being able to delete any files on the server. How would I go about doing this?

    • Zoredache
      Zoredache about 10 years
      There is not simple 'prevent delete' setting. You must review all your acls on any shares, filesystems, and other objects. Do keep in mind that preventing deletion often means making things read only. There are several applications that simply will not be able to 'modify' a document unless they have the ability to delete it.
    • HopelessN00b
      HopelessN00b about 10 years
      @Zoredache actually, there kinda is a "prevent delete" setting, at least with NTFS.
    • Zoredache
      Zoredache about 10 years
      @HopelessN00b, Yes, I know you can have a Deny ACE on the filesystem that prevents deletion, but it isn't system-wide, you must look at all the filesystems, and pay attention to any locations where inheritance is blocked. Deny ACEs interact badly with other ACLs because of the inherent problems with deny ACEs.
  • Flea
    Flea about 10 years
    Great, thanks! I appreciate it! Sounds like the right approach!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Limit folder size on Windows Server 2008
Group Policy Objects stopped applying to most security groups
Apply Registry or ADM to Group Policy for Login to Specific Servers
processing of Group Policy failed only on 2008 Servers and Name Resolution failure on the current domain controller
How to Apply Computer Configuration Group Policy to a Remote Desk server based on user security group
GPO Printer Deployment Ordering greyed out
Active Directory GPO for Password Policy Not Applying from Default Domain Policy
Group policy not being applied unless user is in OU
Should the DNS and DHCP server be on the same machine?
Domain User can RDP into Domain Controller?