SETUP: File Delete Child Directory Permission in NTFS

 Last reviewed: November 6, 1997
Article ID: Q152763
The information in this article applies to:
  • Microsoft Windows NT Workstation versions 3.5, 3.51, and 4.0
  • Microsoft Windows NT Server versions 3.5, 3.51, and 4.0

SUMMARY

Windows NT supports a hidden permission called File Delete Child (FDC) on NTFS volumes. Users who have full control permission on a volume or directory also have the FDC permission. This permission allows a user to delete files at the root level of the directory where they have full control, even if they do not have any permissions on the specific file itself.

MORE INFORMATION

The FDC permission only gives the user the right to delete files at the root level of the directory in which they have full control rights, they cannot delete sub directories, or files nested within sub directories. The FDC permission is based on the concept that if a user owns a directory, they should be able to delete files within that directory, even if they do not have specific permissions for every file.

If an administrator does not wish to grant a user the FDC permission, the administrator can use the special permissions option and grant the user every permission except full control.

This permission was created to maintain POSIX compliance. It is equivalent to the UNIX directory write permission. The behavior of this permission cannot be changed in the User Interface or through the registry.

The following example illustrates the use of the FDC permission. Listed below are the default permissions of both root directory of drive C and the Windows NT system root directory, normally C:\Winnt. 

   Everyone    Full Control ( All ) ( All )
In this case, everyone has full control of this directory, and can delete any file at the root level of either directory. If the guest account was enabled, even a guest could delete a file, regardless of any special permissions the file itself may have.

For example, suppose you add the file MyFile.txt to the root of drive C. You then set the permissions to: 

     Administrators     Full Control ( All )
The Everyone group is removed. If you log on to the computer as an ordinary user, you can see the file, but not open it. You can however delete the file.

To Deny Delete Permission to the Everyone Group

If you wish to deny the Everyone group the right to delete files, do not remove the Everyone group from the root directory. If this is done, the System and Administrators will not have access to the system files and it may not be possible to log on when the system restarts. For more information, please see the following article in the Microsoft Knowledge Base: 

   ARTICLE-ID: Q109076
   TITLE     : Removing Permissions to an NTFS Partition May Prevent
               Startup
To prevent the Everyone group from being able to delete files in the root directory, assign Read, Write, and Execute (RWX) privileges through Special Directory Access. It is also necessary to explicitly provide the system with full control. The root directory permissions should now be displayed as the following: 

   Administrators    Full Control ( All )( All )
   Everyone    Special Access  ( RWX )( RWX )
   SYSTEM      Full Control ( All )( All )

Additional query words: C2 Security
Keywords : ntfilesys NTSrvWkst
Version : WinNT:3.5,3.51,4.0
Platform : winnt

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: November 6, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.