Prevent folder move and delete in 2003 Server

[cjg.groups]

Hello. Can NTFS permissions prevent a user from moving or deleting a
folder in Windows 2003 Server? Please provide any adjustments to the
detailed example below.

My extensive testing has shown that:
When a user deletes a folder, the contents of that folder are deleted
first, THEN that folder's permissions are checked and obeyed. Giving
the user "deny Delete" permission on a folder prevents the folder from
being deleted AFTER its contents have been erased. A similar problem
happens when moving this folder.


Here is my test setup. I'm trying to prevent Subfolder B from being
deleted or moved. I'm allowing Users to create/delete/modify files
and folders within Subfolder B.

Parent folder A:
- Inheritance off
- Everyone has Deny Delete on "this folder and subfolders" with "Apply
to objects/containers within this container only" checked.
- Users have Allow "Read and Execute" on "this folder, subfolders,
files"

Subfolder B:
- Inheritance off
- Users have Deny Delete on "this folder only"
- Users have Allow "Read/Write/Execute" on "this folder only"
- Users have Allow Modify on "subfolders and files only"

"Parent folder A" is included because it contains many subfolders like
"Subfolder B" which need this protection. I see some inefficiency in
this which I'll try to fix.

When a user deletes Subfolder B, the files and folders it contains are
deleted, THEN the user is denied from deleting Subfolder B. How can
the folder AND its contents be protected from an attempt to delete the
folder, still allowing the user to modify the contents of the folder?
Thank you.

[cjg.groups]

On Oct 27, 4:54 pm, "cjg.groups" <cjg.gro...@gmail.com> wrote:
> Hello. Can NTFS permissions prevent a user from moving or deleting a
> folder in Windows 2003 Server? Please provide any adjustments to the
> detailed example below.
>
> My extensive testing has shown that:
> When a user deletes a folder, the contents of that folder are deleted
> first, THEN that folder's permissions are checked and obeyed. Giving
> the user "deny Delete" permission on a folder prevents the folder from
> being deleted AFTER its contents have been erased. A similar problem
> happens when moving this folder.
>
> Here is my test setup. I'm trying to prevent Subfolder B from being
> deleted or moved. I'm allowing Users to create/delete/modify files
> and folders within Subfolder B.
>
> Parent folder A:
> - Inheritance off
> - Everyone has Deny Delete on "this folder and subfolders" with "Apply
> to objects/containers within this container only" checked.
> - Users have Allow "Read and Execute" on "this folder, subfolders,
> files"
>
> Subfolder B:
> - Inheritance off
> - Users have Deny Delete on "this folder only"
> - Users have Allow "Read/Write/Execute" on "this folder only"
> - Users have Allow Modify on "subfolders and files only"
>
> "Parent folder A" is included because it contains many subfolders like
> "Subfolder B" which need this protection. I see some inefficiency in
> this which I'll try to fix.
>
> When a user deletes Subfolder B, the files and folders it contains are
> deleted, THEN the user is denied from deleting Subfolder B. How can
> the folder AND its contents be protected from an attempt to delete the
> folder, still allowing the user to modify the contents of the folder?
> Thank you.

I get the same result using the following, more clean permissions for
Subfolder B:
Subfolder B:
- Inheritance on
- Everyone has Deny Delete on "this folder only" (inherited)
- Users have Allow "Read and Execute" on "this folder, subfolders,
files" (inherited)
- Users have Allow Modify on "this folder, subfolders and files"

Since "Deny overrides Allow", the "Deny Delete this folder only"
overrides the "Allow Delete this folder only" given by Allow Modify.
The inherited "Allow Read and Execute" is redundant.

This should allow people to work within Subfolder B but not delete
Subfolder B. Actually, I can delete Subfolder B with no problem, even
though I have "Deny Delete" on it.

[cjg.groups]

On Oct 27, 4:54 pm, "cjg.groups" <cjg.gro...@gmail.com> wrote:
> Hello. Can NTFS permissions prevent a user from moving or deleting a
> folder in Windows 2003 Server? Please provide any adjustments to the
> detailed example below.
>
> My extensive testing has shown that:
> When a user deletes a folder, the contents of that folder are deleted
> first, THEN that folder's permissions are checked and obeyed. Giving
> the user "deny Delete" permission on a folder prevents the folder from
> being deleted AFTER its contents have been erased. A similar problem
> happens when moving this folder.
>
> Here is my test setup. I'm trying to prevent Subfolder B from being
> deleted or moved. I'm allowing Users to create/delete/modify files
> and folders within Subfolder B.
>
> Parent folder A:
> - Inheritance off
> - Everyone has Deny Delete on "this folder and subfolders" with "Apply
> to objects/containers within this container only" checked.
> - Users have Allow "Read and Execute" on "this folder, subfolders,
> files"
>
> Subfolder B:
> - Inheritance off
> - Users have Deny Delete on "this folder only"
> - Users have Allow "Read/Write/Execute" on "this folder only"
> - Users have Allow Modify on "subfolders and files only"
>
> "Parent folder A" is included because it contains many subfolders like
> "Subfolder B" which need this protection. I see some inefficiency in
> this which I'll try to fix.
>
> When a user deletes Subfolder B, the files and folders it contains are
> deleted, THEN the user is denied from deleting Subfolder B. How can
> the folder AND its contents be protected from an attempt to delete the
> folder, still allowing the user to modify the contents of the folder?
> Thank you.

I challenge anyone to at least set this up and test it. Am I doing
something wrong, or are Deny permissions being mostly ignored?