Allow users to create files but not edit and delete them

All we need is an easy explanation of the problem, so here it is.

Is it possible to allow users creating new files inside a folder but not modifying them?

I’m trying to set such permissions but the problem is that when I disable write attributes and write extended attributes, users can’t create files.

enter image description here

Users can’t create files inside this folder, but, they can modify them. I want opposite.

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

Open the Advanced Security Settings window, disable inheritance clearing all the entries, and add these:

  • Allow Administrators “Full control” on “This folder, subfolders, and files”
  • Allow SYSTEM “Full control” on “This folder, subfolders, and files”
  • Allow Authenticated Users the basic permissions “Read & execute”, “List folder contents”, “Read”, and “Write” to “This folder only”
  • Allow CREATOR OWNER “Full control” to “Subfolders and files only”
  • Allow Authenticated Users the basic permissions “Read & execute”, “List folder contents”, and “Read” to “This folder, subfolders, and files”

The magic happens in the fourth bullet, where we add permissions for CREATOR OWNER. When inherited by new files, that entry will be changed into one that applies to the creator. You can skip the final bullet if you don’t want everyone to be able to read all the files.

advanced security settings

To verify that the ACLs were entered correctly, here’s the output of icacls on the folder:

BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(RX,W)
CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\Authenticated Users:(OI)(CI)(RX)

Method 2

I removed ‘Delete’ permission from the selected user group for the “folder and all sub-folders and files”, and that gave me exactly what you asked for.

Since a modify operation is actually a copy-delete-reWrite operation, removing the delete removes both the ability to Delete files and Modify files.

I hope this easy answer will help someone.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply