Transfer Files Between Users

0

Situation:

  • Two user accounts, userA and userB
  • Both accounts are on the same physical machine
  • Need to move files from userA to userB
  • Files can't be exposed (to the internet/other users, so can't use the Public directory)
  • No admin access
  • Preferably scriptable and with Windows builtins

I've tried:

  • Mixture of copy and runas - either have permissions to get, or put, but never both
  • Sharing a folder - requires admin credentials

This seems like a trivial problem, but searching mostly comes up with transferring between different computers or admin access is required for the method of transfer

phflack

Posted 2017-12-15T15:59:29.343

Reputation: 103

Have you tried making a folder on the local drive, outside of the protected user folders (C: drive most likely)? This keeps it on the local computer, without access to non-users. Moving the files means that the files haven't changed physical location on the HD (most likely) so there should be no need to worry about leaving unsecure traces on the drive, unless you are moving them across multiple HDs. – computercarguy – 2017-12-15T16:10:28.680

@computercarguy I can create a temp folder and move files to it, but it has public permissions, is there a way to limit it to only userA and userB? – phflack – 2017-12-15T16:16:18.610

Can it go to the internet if not in a unsecured/public place? If so, Dropbox or GoogleDrive could be used and just share rights to that file with the one other user who is supposed to get the file. Or use an SFTP site with login credentials that only the two users know. – techturtle – 2017-12-15T16:17:04.153

@techturtle It is a physical desktop that can't move, and userA and userB are the same person. And along with can't use the internet (doubt I could get it approved), it would likely be terribly slow for the amount of data that will need to be transferred – phflack – 2017-12-15T16:19:42.713

2If you right click on the folder, there's a Security tab. This will allow you to change the Permissions to only the two users you want it to have access. BTW, "public" access doesn't mean that other computers have access to it, just other users on the same machine. – computercarguy – 2017-12-15T16:28:46.427

@techturtle, IDK about GoogleDrive, but DropBox isn't really that secure. There are known vulnerabilities, so that's not really a good option if things need to be really secure. – computercarguy – 2017-12-15T16:30:06.423

@computercarguy Other computers would not be able to access it, but userC on the same computer would. I also was looking through security, but that only appears to give users access. I can't find a way to deny everybody else access. Do you know of a command that could change the permissions? – phflack – 2017-12-15T16:31:57.920

You can include the Users group and set it to "Deny". – computercarguy – 2017-12-15T16:34:36.437

Also note that the file transfer is once... a couple thousand times. So once per user, but happening on many machines – phflack – 2017-12-15T16:34:37.847

@computercarguy When I selected it, it made it look as if that would also deny userA and userB – phflack – 2017-12-15T16:35:09.800

Specifically adding your users will override the User group's "Deny" attribute. – computercarguy – 2017-12-15T16:35:47.230

1@computercarguy "You are setting a deny permissions entry. Deny entries take precendence over allow entries. This means that if a user is a member of two groups, one that is allowed a permission and another that is denied the same permission, the user is denied that permission." - Tried it, I got locked out of my test file, they mean what they said – phflack – 2017-12-15T16:43:05.230

Let us continue this discussion in chat.

– computercarguy – 2017-12-15T16:46:10.167

Answers

2

Consolidating comments and discussion into an Answer:

You can have a folder on the local machine outside of the User folders, such as the C: drive root directory, that both users have access to.

There is a Security tab on the folder (right click the folder and go to Properties) that will allow you to set permissions on the folder, allowing only the users you want to have access. Remove all Users and Groups from the list, then add in only the Users you want to have access, with the "Allow" option(s) set. All other Users will be denied by default.

To do this automatically from a CLI, you can try using VBScript. The first link below shows how it can be done and the 2nd link shows a slightly different way, but with more explanation on what options are available.

https://social.technet.microsoft.com/Forums/windows/en-US/ac1bb931-c641-4784-b5f0-3fa77a9a984b/add-permissions-to-a-ntfs-folder-using-vbscript?forum=itproxpsp

https://www.symantec.com/connect/downloads/vbscript-grant-permission

I'm including the code snippet from the 2nd link here:

Dim oShell, FoldPerm, Calcds, oFSO

Set oFSO = CreateObject("Scripting.FileSystemObject")
Set oShell = CreateObject("WScript.Shell")

sSysDir = oFSO.GetSpecialFolder(1).Path
If Right(sSysDir,1) <> "\" Then sSysDir = sSysDir & "\"

Calcds = sSysDir & "cacls.exe" 

'Chang The folder Name, User and Access rights in the following line of code  

FoldPerm = """" & Calcds &"""" & """C:\MyFolder""" & " /E /T /C /G " & """Power Users""" & ":C" 

oShell.Run FoldPerm, 1 ,True

I don't have a way to test this right now, but I'm assuming something listed separately on the Microsoft and Symantec sites, with good reviews on each post, would be at least a good direction to follow.

computercarguy

Posted 2017-12-15T15:59:29.343

Reputation: 800

(1) You may need to remove “inheritable permissions from this object’s parent” as discussed here.  (2) I believe you can do most of this from CMD (i.e., batch files) with the icacls command.  But I’ve never learned how; it looks complicated, and the VBScript solution might be easier.  (Or PowerShell.)

– G-Man Says 'Reinstate Monica' – 2017-12-15T18:48:54.310

0

"No admin access" So I assume you can log in as each of the user's though?

Assuming so:

  1. Log in As User A
  2. Right-click on the folder you want to share access to.
  3. Select the Security tab
  4. Click Add
  5. Type User B's name in and click find to make sure it is matched(make sure you have the local computer selected if in a domain)
  6. Click OK
  7. Set permissions on the user to "FULL"
  8. Click OK
  9. Repeat Steps 1 to 8 logging in as User B and adding User A

By doing the above the users will be able to transfer files between their folders of their own accord.

You can then have either user login and run a script that does a copy of the files directly from one folder to the other.

A simple way to script copy of the folder so that the contents in sync would be as follows (Note, depending on the windows version, the Option "/DCopy:DAT" may need to be changed to "/DCOPY:T" or removed entirely):

REM Copy User A to User B:
  Robocopy "C:\Users\UserA\Documents\Folder" "C:\Users\UserB\Documents\Folder" * /S /E /ZB /NP /IT /XJ /DCopy:DAT 

REM Copy User B to User A:
  Robocopy "C:\Users\UserB\Documents\Folder" "C:\Users\UserA\Documents\Folder" * /S /E /ZB /NP /IT /XJ /DCopy:DAT

You can save the above in a text file named something appropriate such as "SyncUserAandB.cmd"

(Note When you save the file, you will need to select format "ALL" in the type drop-down, or notepad will add a ".txt" to the file which will be hidden when you look at it in explorer unless you turn off "hide file extensions for known types")

Then the user may run the file, or you can create a windows scheduled task as either user which will run the file at the interval of your choosing.

Ben Personick

Posted 2017-12-15T15:59:29.343

Reputation: 201

Asked: 2017-12-15T15:59:29.343

Viewed: 86 times

Active: 2017-12-15T18:05:01.327