Hey everyone! I'm looking to set up permissions for my movie library using the icacls command. I want to deny delete access for all users (Everyone) but still maintain the ability to delete everything except the actual movie files. I'm new to using icacls, so I'm hoping to get some guidance on how to apply these permissions properly. Here's what I've been trying:
For folders:
```powershell
$p = path/folder name
icacls "$p" /reset /c /t /q
icacls "$p" /deny "Everyone:(CI)(OI)D" /c /t /q
```
And for the files:
```powershell
$f = file name
icacls "$f" /reset /c /t /q
icacls "$f" /deny "Everyone:D" /c /t /q
```
The issue is that when I set these permissions, I lose access to everything under the folder unless I'm the owner. What am I doing wrong here? I want the folder and its contents to be accessible, but deny deletion for certain files. Any tips or corrections would be much appreciated! Thanks!
2 Answers
It sounds like you've set the permissions in a way that's preventing access altogether when you apply that `DENY DELETE` setting at the folder level. This setting propagates down and blocks not just deletion, but access to any subfolders and files as well. My suggestion is to first deny delete permissions only for the files, not the folders. After that, you can set permissions on the folders separately. This should allow you to navigate through the folders while protecting the files from being deleted. I've got a PowerShell script that follows this approach; I can dig it up if you're interested!
Be careful with the `/reset` option—it's resetting all your permissions. If you set `DENY DELETE` for "Everyone" on the folder and your account is included, that also means you won’t have delete rights. It seems like you're trying to keep certain file types while clearing out the rest, right? Instead of using deny permissions, you might just want to make everything read-only for everyone except admins. That could simplify things!
Yes, that's the idea! I want to keep certain file types and remove everything else without having to sift through 1,000+ folders. I'm definitely considering your suggestion for read-only permissions. Thanks!
That makes sense! I'd really appreciate seeing that script when you find it. In the meantime, I’ll try rearranging my commands and make sure I set permissions on the folders first.