-
제목
Is it possible to Deny ability to delete a file or folder using SXPGrant.exe? -
설명
The Security Explorer command line function allows an Administrator to pass permission types, including 'Deny' to a scope of NTFS storage. Is it possible to 'Deny' the right to delete a file or folder to a group or an individual user?
-
원인
It is not possible to use SXPGrant.exe to 'Deny' a user the permission to delete a file or folder. If a user has 'Modify' permissions, they can open the file, erase the contents and save the file, thereby destroying the file for all practical purposes.
For SXPGrant.exe, File and Folder permissions are limited to 'root' or 'basic' permissions in NTFS. The same permissions found when the user right clicks on a file or folder and selects the Security tab. These Permission Types are:
Full control
Modify
Read and execute
List folder contents
Read
Write'Deny' is a Special or Advanced permission.
-
해결 방안
Use SXPGrant.exe to Deny the Permission to 'Modify'.
For example, the following command would Deny user JSmith the permission to Modify any files or folders or subfolders in D:\Engineering:
- SXPGrant.exe /deny modify /scope 2 DomainName\JSmith D:\Engineering
The Permission type being passed and the scope of the permission are controlled using arguments in the command line.
Please reference the Security Explorer documentation.