INFO: DELETE Standard Access Right on a Windows NT File Securable Object (238018)

MORE INFORMATION

When a user opens a file securable object for DELETE access, the object manager first checks for DELETE access in the file. If the DELETE standard access right is present, the DELETE access is granted for the object. If the DELETE standard access right cannot be granted, the object manager then checks for delete child object specific access right in the parent folder. If the delete child object specific access right is present, the DELETE access is granted for the file. Otherwise, the DELETE access is denied.

For securable file objects, the corresponding delete access in the parent folder is FILE_DELETE_CHILD. If FILE_DELETE_CHILD access right is granted in the parent folder for a specific user, then the user can delete the contained files or sub-folders irrespective of whether its corresponding DACL grants DELETE standard access right through access allowed ACE or denies through access denied ACE. Normally, the FILE_DELETE_CHILD access right should be granted only to Administrators or the creator of the folder.

Full Control on a folder securable object includes FILE_DELETE_CHILD access right. If FILE_DELETE_CHILD access right is inheritable, then any sub-folders created underneath will have this access right inherited. By default, the root directory allows Everyone Full Control which includes FILE_DELETE_CHILD access right. Even though DELETE standard access right may not be granted or may be denied for a sub-folder or a file, a user can delete the sub-folder or file if FILE_DELETE_CHILD access right is granted in the parent folder. It is recommended that FILE_DELETE_CHILD access right should be granted in a folder only to specific users or groups who can delete the contained sub-folders or files irrespective of its DACL.