Home 2025

NTFS Limitations – Mind Blown!

20 Years and I never Knew.
I was asked today to allow users to Edit files in a folder, but not be able to delete them.
Windows NTFS doesn’t really support this. !?!?!?!
You can remove the Delete options in Advanced – but that takes away Modify – so users can’t edit the file.
You can add a secondary Deny with only Delete options selected and it gets weird.
They can create a file or folder, but not name that file or folder, so “New Folder” or “New Text File” remains. To work around that, use Notepad to save an empty file with the right name – but that throws an error about permissions and creates the empty file. Then they can open the file and edit it, saving as the same name. Which is kind of wonky. Save As? Nope. Creates an empty file with the name chosen and throws a permission error. But they can open the new file and edit that.
Mind = Blown.

My conversation with ChatGPT on the subject, before I tested:
It appears as though we can not set permissions that allow users to edit shared windows files but not delete them or take ownership (to delete them).

ChatGPT said:

You’re correct—NTFS permissions don’t provide a built-in way to allow users to edit a file but not delete it. The reason is that the Modify permission, which allows editing, also includes the Delete permission. However, there are workarounds to achieve this goal:

Workaround: Explicitly Deny Delete Permissions

  1. Set Permissions on the Parent Folder
    • Grant users Modify or Write permissions on the folder.
    • Ensure they have Create Files / Write Data and Create Folders / Append Data.
  2. Remove Delete Permission on Files
    • Open Advanced Security Settings for the folder.
    • Add an explicit Deny entry for Delete and Delete Subfolders and Files on the file level for the user or group.
  3. Prevent Users from Taking Ownership
    • Ensure they do not have Full Control, as that allows them to take ownership.

Steps to Apply This in Windows

  1. Right-click the folder → PropertiesSecurity tab → Advanced.
  2. Select the user or group, then click Edit.
  3. Click Show advanced permissions, then:
    • Allow:
      • Write (needed to modify files).
      • Read & Execute.
    • Deny:
      • Delete.
      • Delete Subfolders and Files.

Limitations & Considerations

Users might still be able to rename a file, which effectively allows “deleting” by replacing it.

If a user opens a file in an editor that requires saving a new copy (instead of modifying in place), the save will fail since they can’t delete the original.

Some applications might require Delete permission to overwrite a file, even if the file remains.

Okay. That kind of works. But while it allows editing of existing files, it will allow creating files, but they can’t change the name, so it is forever “New Folder” or “New Text Document”

ChatGPT said:

Yes, that’s a known side effect of denying the Delete permission—it also prevents renaming files because renaming requires the ability to delete and recreate the file with a new name.

Issue: This still prevents renaming files since renaming = deleting + recreating.