Share via

How to Redirect Deleted Files to Archive Instead of Permanent Deletion on SMB Shares?

Abdul Wakil Zamani 0 Reputation points
2025-09-23T19:50:55.4333333+00:00

We're using Windows Server with multiple SMB shares (e.g., \\Shared\IT, \\Shared\FINANCE, etc.). Users need permission to delete files for organizational purposes, but we want to prevent permanent deletion.

Is there a way to redirect deleted files to an archive or review folder (like \\Shared\_Deleted) instead of them being permanently removed?

We're already using NTFS auditing and can detect deletion events (Event ID 4660), but we’re looking for a preventative approach, not just forensic. Thanks in advance for any advice or experience!

Windows for business | Windows Server | Storage high availability | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Oliver Nguyen 1,400 Reputation points
    2025-09-23T21:02:44.5466667+00:00

    Hi Abdul Wakil Zamani,

    You can use FSRM (built into Windows Server) with file management tasks or scripts.

    Replace “delete” with “move to archive”. Create a scheduled file management task that:

    Detects files flagged for deletion (via a classification property, or via special ACL trick). Moves them to \Shared_Deleted instead of purging.

    ==> SMB delete requests are hard to intercept natively — so you’d likely need a combination of permissions + scripts.

    Or you can Change Delete Permissions → Replace with Move Process

    Instead of giving “Delete” rights:

    Deny Delete and Delete Subfolders and Files NTFS permissions. Grant users only Modify (minus delete). Provide them a simple script / context menu / PowerShell shortcut (or even a file explorer extension) that moves files into \Shared_Deleted.

    This way, nobody can hard-delete from the live share, but they can archive files themselves. IT or managers can later purge \Shared_Deleted periodically.

    For most orgs, the permission + archive model is the cleanest:

    Remove “Delete” NTFS permission on the shared folders.

    Train users to move unwanted files into a special _Deleted folder instead of deleting.

    Periodically clean _Deleted (script or scheduled task).

    Optionally, enable Shadow Copies for safety net recovery.

    This way, you achieve the “no permanent delete” policy preventively, not just forensically.

    =============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Abdul Wakil Zamani 0 Reputation points
    2025-10-14T16:39:02.59+00:00

    Hi Oliver Nguyen,

    That’s a solid approach, and I agree that using FSRM with a “move to archive” model is one of the cleanest preventive solutions. However, it’s important to note that in NTFS, Delete, Move, and Rename operations are all treated as the same underlying operation.

    When you deny “Delete” and “Delete Subfolders and Files” permissions, Windows also blocks the ability to move or rename files, because those actions internally require delete rights on the source object. As a result, users won’t be able to move items into the _Deleted folder themselves if those permissions are denied.

    Regarding Shift + Delete, since that bypasses the Recycle Bin entirely, it represents a legitimate insider-threat vector for intentional data removal. I am seeking a way to give users delete access so they can organize their data, but at the same time ensure that the data isn’t permanently deleted.

    Best regards, Abdul Wakil Zamani

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.