On Thu, Oct 6, 2016 at 11:36 AM, Francoi Xavier <francoi....@gmail.com> wrote: > I've just started learning about windows ACL and file permissions. The task > here is to make a file/folder read-only and should get deleted/modified only > through our client software. I've denied Write, Delete and other permissions > for the Lookup Name Everyone which generally restricted users from changing > the files/folders.
Don't forget to also deny FILE_DELETE_CHILD access on the directory. Otherwise a user with that right can delete files even when the DACL otherwise denies delete access. > But the current user who also happens to be the creator/owner of the > file/folder can delete the ACE which has been added and he can gain complete > access rights. Is there a way to restrict this behaviour so that users > cannot change the file access permissions? In Vista and later (NT 6+) you can deny WRITE_DAC access to the "OWNER RIGHTS" security principal. The owner of the object won't be able to modify the permissions. _______________________________________________ python-win32 mailing list python-win32@python.org https://mail.python.org/mailman/listinfo/python-win32
