Microsoft KB Archive/238018

{|
 * width="100%"|

INFO: DELETE Standard Access Right on a Windows NT File Securable Object

 * }

Q238018

-

The information in this article applies to:


 * Microsoft Win32 Application Programming Interface (API), included with:
 * Microsoft Windows NT Server version 4.0
 * Microsoft Windows NT Workstation version 4.0

-

SUMMARY
DELETE standard access right in access control entries (ACEs) of a discretionary access control list (DACL) control whether delete access of a Windows NT securable object can be granted or denied for a specific user. This knowledge base article explains how the system performs the access check when deleting a Windows NT file securable object.

MORE INFORMATION
When a user opens a Windows NT file securable object for DELETE access, the object manager first checks for DELETE access in the file. If the DELETE standard access right is present, the DELETE access is granted for the object. If the DELETE standard access right cannot be granted, the object manager then checks for delete child object specific access right in the parent folder. If the delete child object specific access right is present, the DELETE access is granted for the file. Otherwise, the DELETE access is denied.

For Windows NT securable file objects, the corresponding delete access in the parent folder is FILE_DELETE_CHILD. If FILE_DELETE_CHILD access right is granted in the parent folder for a specific user, then the user can delete the contained files or sub-folders irrespective of whether its corresponding DACL grants DELETE standard access right through access allowed ACE or denies through access denied ACE. Normally, the FILE_DELETE_CHILD access right should be granted only to Administrators or the creator of the folder.

Full Control on a folder Windows NT securable object includes FILE_DELETE_CHILD access right. If FILE_DELETE_CHILD access right is inheritable, then any sub-folders created underneath will have this access right inherited. By default, the root directory allows Everyone Full Control which includes FILE_DELETE_CHILD access right. Even though DELETE standard access right may not be granted or may be denied for a sub-folder or a file, a user can delete the sub-folder or file if FILE_DELETE_CHILD access right is granted in the parent folder. It is recommended that FILE_DELETE_CHILD access right should be granted in a folder only to specific users or groups who can delete the contained sub-folders or files irrespective of its DACL.

Additional query words:

Keywords : kbAccCtrl kbKernBase kbOSWinNT400 kbSecurity kbDSupport kbGrpDSKernBase

Issue type : kbinfo

Technology : kbAudDeveloper kbWin32sSearch kbWin32API