GP Software • Twitter
Opus FAQs • Manual • Commands • Objects

Lock On/Off (protect items from deletion)



These are two usercommands, to lock/unlock filesystem items (protect/unprotect from accidental deletes).


  • you need to be allowed to alter file and folder permissions of course
  • works on NTFS drives/locations only

The locking is done by adding deny-delete permissions for to all selected items recursively - holding also sets the readonly attribute.
If you like to lock individual items in a folder, you need to lock the folder as well. After that, indiviual files can be locked/unlocked.
(This is because denial of delete permissions only apply if both, the actual item and its parent, share the same deny-delete-permission.)

<?xml version="1.0"?>
<button backcol="none" display="icon" textcol="none">
	<user_label>Enable delete/rename protection</user_label>
	<function type="normal">
		<instruction>@nodeselect </instruction>
		<instruction />
		<instruction>//deny delete and folder delete permission for [everyone] recursivly</instruction>
		<instruction>ICacls.exe {filepath$|noterm} /deny *S-1-1-0:(DE,DC) /T /C /Q</instruction>
		<instruction />
		<instruction>//deny delete and folder delete permission for [everyone] recursivly, by using inheritance</instruction>
		<instruction>//ICacls.exe {filepath$|noterm} /deny *S-1-1-0:(OI)(CI)(DE,DC) /T /C /Q</instruction>
		<instruction />
		<instruction>@runbatch </instruction>
		<instruction>SetAttr RECURSE SETATTR r FILE={filepath$|noterm} </instruction>

The unlocking is done by removing all deny permissions for to all selected items recursively.
File readonly attributes will be cleared if set.

<?xml version="1.0"?>
<button backcol="none" display="icon" textcol="none">
	<user_label>Disable delete/rename protection</user_label>
	<function type="normal">
		<instruction>@nodeselect </instruction>
		<instruction />
		<instruction>//remove all defined deny permissions of everyone recursivly</instruction>
		<instruction>ICacls.exe {filepath$|noterm} /remove:d *S-1-1-0 /T /C </instruction>
		<instruction />
		<instruction>@runbatch </instruction>
		<instruction>SetAttr RECURSE CLEARATTR r FILE={filepath$|noterm} </instruction>

You'll run into situations where you try to make changes to items and notice you cannot because of the lock.
I recommend to add a menu to the "all files and folders" filetype to quickly toggle the protection from anywhere
without changing directory or loosing a current selection.

After using "LockOn", files still can be edited and changed by you and any application, which is handy for applications which maintain tags in files e.g.
As mentioned, this is just to prevent any accidental deletes in the filesystem without notice. If you set DO to delete to the recycle-bin without confirmation e.g., it will not warn you about files being deleted which are "read only", but in case you locked your files with this, there is no chance of deleting anything anymore without a proper "access denied" popup.

Any hints on how to improve these are appreciated! o)

Read-only files get deleted to recycle bin without prompt
Folder ATTR (HR) can be Del from a Path Breadcrumbs field
How to force confirmation on every "move" file operation?

Nice button & write-up!

It might be worth noting that some programs update files by deleting/renaming the old file and writing/renaming a new file in its place, which may fail if the old file denies delete permission. Depending on the way the old file is replaced, it may not be possible to edit/replace it at all, or you may be left with a renamed version of the old file which cannot be deleted and a replacement version of the file which now can be deleted.


Great idea, very useful.


Hmm, it seems, that it doesn't always work like expected. I tried to secure a large directory with photos, but some of the items remain unprotected. If i apply it to the main folder first, is it supposed to work for all items, including files & all subfolders? Strangely, many folders were protected, others were not.

Another suggestion, if this is possible: the script could maybe show some notification, when all items were processed. Especially with a really large number of files.


If you lock the main folder, all subfolders should be locked as well. If you can (security-wise) run "icacls.exe " on one of your problem-folders and paste the results here, that should help us to reveal what's wrong.


This is what i get:

                 NT-AUTORITĂ„T\Authentifizierte Benutzer:(I)(M)
                 NT-AUTORITĂ„T\Authentifizierte Benutzer:(I)(OI)(CI)(IO)(M)


Mhh, there's an entry missing at the top, so it is indeed not locked currently.

If you lock that folder directy, does it make a difference, is it locked then? Maybe run the command to lock the folder in a CMD prompt and watch out for errors. I'm curious to why it would not work for you, it worked for me and others flawlessly for quite some time.
ICacls.exe /deny *S-1-1-0:(DE,DC) /T /C /Q


[quote="tbone"]Mhh, there's an entry missing at the top, so it is indeed not locked currently.

I've run your code below, & indeed i have that entry now, Everyone:(DENY)(D,DC). But nevertheless i was able to delete an image in one of the subfolders. So, to avoid any misunderstanding, i have applied that command using cmd on the main folder, which contains hundreds of subfolders, which again contain a lot more folders each. Not sure, what is happening.

There is some error message, saying "1 file successfully processed, an error occured with 0 files" (translated). Maybe that's a hint?

[quote]I'm curious to why it would not work for you, it worked for me and others flawlessly for quite some time.
ICacls.exe /deny *S-1-1-0:(DE,DC) /T /C /Q[/quote]

I have to test it with other folders. I once had troubles with some folders, where i played around with permissions. Although i think, it was on another drive.


Some more info: as i just checked with the NTFS Permissions Tool, all entries have the green tag, indicating the "allowed" state for the current user, after i ran the LockOn command.


I don't think so. ICalc.exe seems to always show that "an error occured with.." message, but as long as the counter is "0" things should be fine. Maybe try this MSDOS Batch button seperatly, it runs icalc.exe without the /Q quiet-switch which gives some more details on the items it's acting on.

//deny delete and folder delete permission for [everyone] recursivly
ICacls.exe {filepath$|noterm} /deny *S-1-1-0:(DE,DC) /T /C 

Wondered what this "NTFS Permission Tool" (NPT) is, so I tried! o)
NPT shows green/allowed for the locked files and folders here as well, but that's quite ok, since you can read and write, you just can't delete items anymore in Locked state. Don't know what to think of NPT yet, these "allow, deny, read-only" buttons do not work here as expected This is how the security settings look for a locked folder in NPT for me. For files it's the same, just without the "delete files and subfolders" entry, since it's not a folder.


Once i screwed up some folder, when i tried to achieve the goal that your script is intended for, protecting important files from accidental deletion, by playing around with the permissions in Windows itself. So that tool helped me to get rid of those completely messed up settings, finally, after things went wrong. I knew, that it was risky, so i'm only talking about certain folders i was experimenting with, for which i had backups, just in case. After that experience i didn't try again, until i found your lock on/off scripts.


Hmmm this was working for me... now it isn't ...
D:\New Test Everyone:(OI)(CI)(DENY)(D,DC)
Seems like everything is correct permissions, is there something else in the OS that can override this... Sharing permissions are secondary to Security permissions right... ?

So I see that this is working in windows explorer but not in Opus, must be some setting, the permissions alert pops up in explorer, but nothing in Opus, just deletes the folder... don't know what the story is...

To aid visibility of this...
properties SETCOLOR= Red // for when locked (You need to make a red folder label in settings.)
properties SETCOLOR = !reset // when back to normal

Needed to insert the @admin modifier into the functions and also think I forgot to swich one of them to MSdos batch function.
So needed to test with @leavedoswindowopen to see what was happening. I also restarted my machine and the permissions seem to be working in Opus...


I know this is an old and dead horse but sorry, I came after the party. What is the final word on that topic and how to make it work?


It still works, for me at least! o)
Important thing to remember (as is explained in the root post), to lock/unlock single items, the parent folder must have been locked as well. If you lock a folder, all the files within will be locked automatically.


I am not sure what the actual formula is after all that was discussed in the topic; I am entirely new to this... the button described further in the thread works for me but I don't know how to create its opposite, the unlock button.
Also... I just realized this won't work on a NAS :slight_smile:


You just need to copy the most upper two code snippets into clipboard and while DO is in customize mode, paste each snippet onto any toolbar. The buttons should appear and after quiting customize mode, they should be functional as is. The code further down this thread was more or less problem analysis for @abr, the initial code for these two buttons never changed and is what I use up to now.

It might work fine on a NAS, did you try? There are NAS' out there using NTFS, but I'm really not sure whether NTFS also means support for this access control list (ACL) thing or whether it's tied to windows operating system somehow.


Both code snippets lack the first line

<?xml version="1.0"?>

which makes pasting them a bit difficult :wink:

(That's fixed now. --Leo)


Ah now I managed to paste... I can confirm that these button do exactly what they are supposed to do as long as it's about files on the pc's direct hd's. However, on a Synology DS216SE localized on the local network, it doesn't work.


I have not read it in depth but this says Synology support ACL permissions in DSM 5.0:

I don't know if they respect the same APIs that Windows/ICacls.exe use or if you have to change permissions via the device's own software.

I also don't know if DSM will understand the "well-known SIDs" -- like S-1-1-0 meaning "Everyone" -- which the commands in the root post use, or if it only works with individual user names.