This is very strange.
subinacl /file [your dirctory name] /deny="domain users"=D
should do the trick, and indeed, after that using Explorer, it shows that
"domain users" is denied the delete right.
I made folder d:\temp\test
Under test I made some files and subdirs.
After the above command I should not have been able to execute:
rd d:\temp\test /s /q
However, it worked. The folder was gone.
This will take more looking into.
The subinacl command above gave the following output:
D:\Temp\test : new ace for xxz\domain users
D:\Temp\test : new ace for xxz\domain users
D:\Temp\test : 2 change(s)
Using subinacle to dump the dacl shows:
pace =xx\domain users ACCESS_DENIED_ACE_TYPE-0x1
INHERIT_ONLY_ACE-0x8 OBJECT_INHERIT_ACE-0x1
Directory - File Type of Access:
Special acccess : -Delete
Detailed Access Flags :
DELETE-0x10000
pace =xx\domain users ACCESS_DENIED_ACE_TYPE-0x1
CONTAINER_INHERIT_ACE-0x2
Directory - Directory Type of Access:
Special acccess : -Delete
Detailed Access Flags :
DELETE-0x10000
Note that the inherit ACE exists.
I don't see that there is any way in subinacl to avoid writing the inherit ace.
The only thing that I can think of is to run a second command that revokes the
domain users deny access on all subdirectories.
I still cannot figure out how I was able to delete the folder.
It might have something to do with this:
http://support.microsoft.com/kb/296865
I'm using: SubInAcl version 5.2.3790.1180
on XP SP3
You should be able to do what you want with xcacls, but I don't have time any
more to experiment.
Good luck
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
