How to disable entire delete function in Windows for users?

Cerulean

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,476
Greetings,

We have a full VDI environment. Is there a way to disable the delete function altogether? In other words, we don't want users to be able to delete their own files or folders.
 
It would be difficult --

When you change a file, the changes are usually stored in a temporary file. When you save, the original is deleted and the temporary file is copied to the original file location. Preventing them from deleting could inadvertently prevent them from modifying their data?
 
I think the best way to go would be the "Previous Versions" shadow copy function.
 
This seems like a pretty bad idea. You would probably have to do this at the file permission level. The entire basis of a user account is founded around the idea of object ownership. You could set it up so they only have modify and not delete access. But what exactly are you trying to accomplish with this?

Regardless what you do this will likely cause lots and lots of headaches as it is completely non standard and not a best practice.
 
Like Demon10000 and Krazypoloc have said, I think it would cause problems too. I don't think Windows was designed in such a way to be intelligent enough for a user to continue operating normally without having delete capability due to some of the background/hidden/temp things that occur. ;o

Just posted this thread just so I could have something to bring to the table for co-workers. :|
 
You could set it up so they only have modify and not delete access
Click to expand...

Delete isn't an NTFS permission. Modify is a combination of rights that would allow you to delete the file. You can't modify a file without the ability to delete it.

I think the best way to go would be the "Previous Versions" shadow copy function.
Click to expand...

Other than allowing the user to restore their files, this would serve no purpose. It's not always a good idea to make this available on shared data, either. Imagine a database file on a shared network location and one user discovers they can roll it back using previous versions. Now any time he wants to roll his changes back, he just uses previous versions. This ends up removing everyone's changes (not just his) and possibly corrupting the database.

There is no effective way to remove a users ability to delete data, without removing their ability to modify data, which then prevents them from creating data. So I guess you could just take away their ability to create data and you wouldn't have to worry about it getting deleted! :)
 
You must log in or register to reply here.
Back
Top