FTP server on Windows 2003

I'm sure I already add user in logon locally.

For Dave Dietz : I try your solution. Now the user the FTP to the server already login their home directory like the test1 in your solution but user test1 can up to root and browse in to folder test2. I'm not sure why he can.  In folder test2 user test1 don't have any permission in it.  I don't understand.

Did you create the FTP site using  Non-AD User Isolation?

If not this behavior is expected (though not preferred).  You will need to select user isolation when creating the site then set up the directory structure as shown above.

Dave Dietz

I tried to setup FTP by used Isolation Users and setup the directiory structure as shown above but when I connect to the server.  It's always showed this error :

530 User test1 cannot log in, home directory inaccessible.
Login failed.

It's the same structure that I setup by Non Isolation Users but Non Isolation Users is work.

Kongsit

Hey Dave.  Good answer, clearer than the IIS doc.  

What do you do if you want both user A and user B to access the same directory under local users.  Running Non-AD User Isolation, I can't figure out how to do it.

When using Non-AD User Isolation you can't have different users sharing a home folder.

(User Isolation isolates users....)

The only real way to do this would be to set a virtual directory under each persons' home directory that points to a common location.  Once they log in they could traverse the virtual directory to the common location to share files with others.

Dave Dietz

Thanks!   How do you set up a virtual directory?  Do you mean in the FTP site?

Yes.  Right click on the user's directory under the FTP site in the IIS Admin console and select New... then Virtual Directory....

Give the virtual directory a name and then point the location to your common file area.

Once the user logs in they can do a CD to the virtuyal directory name and they will then be able to access the common file area.

Dave Dietz

Thanks, Dave.  I guess you'd need to use folder security on that common file area, as you're circumventing the protection that Server 2003 provides with user isolation.  I'm beginning to wonder if I should just set up a separate server for this kinda thing.

Correct - you would need to use NTFS permissions to secure any files in the common area.

As far as a seperate server - what *exactly* are you trying to do?  Likely it can be handled with the single server in some way.....  :-)

Dave Dietz

Hey Dave.  Thanks for sticking with this.

I have two customers who would like to have a FTP site that allows two user accounts.  They would use one account to maintain their web site perhaps, or put up documents.  The second user would simply put up or take down documents.  You can imagine a CAD designer who has large documents that he needs to forward to his clients.  He wants one user account for himself, and another account for his customers.

This was no problem on W2K Server.  I really like the user isolation in place on my 2003 server but also don't want to turn down any business.

What do you think?  Thanks expert.

What I would do is set up accounts for each user and set up non-ad user isolation.  

In each user acount I would create virtual directories pointing to the areas they need access.
For example:
Admins - vdir to the root of the website
Contributors - vdir to the directory where they need to upload their CAD files (or whatever)
Others - nothing (they can access their files and that's it)

I would also create a local group for Admins and another for Contributors.
Add your users to these groups and use the groups to assign NTFS permissions on the content areas.
For the Contributor areas I would add NTFS permissions of Contributor: (Traverse Folder/Execute File, List Folder/Read Data, Create Files/Write Data, Read Permissions) and Creator Owner: Full Control (you could also add Admins: Full Control). This would allow contributors to upload files and also delete/change their own files without being able to change anyone elses.

Using the groups make management easier and allows you to use logical grouping of what function the accounts are used for.

Dave Dietz

I've followed the instructions to the letter, and still am receiving the 530 home directory inaccessible"

I have Win Server 2003, IIS6.  I setup a fresh, brand new FTP site.  The directory I am using is c:\www, the same directory I am using to host multiple websites successfully with IIS.

I can change the actual folder names to "localusers" and all that - but I assume that Windows doesn't care what names you use, provided that the viortual directories you create are of the user's name.

So, I have c:\www\laura - I have created a fresh user "laura" however in WSrv2003 there is no "Logon Locally" option in the user creation or properties dialogs.

I had this working a while ago, but I somehow screwed it up as with everything else and now it won't act the same way.  I gave full permissions to user "laura" on that directory - IUSR_computername has read/execute access already due to the website.

It makes no sense that it wouldn't work - I am stumped.  Any help is appreciated.

OK found this in the Local Security policy - Users was already in this allow to log on locally permission group.  Therefore things were set properly in the first place.  It makes absolutely NO SENSE that this shouldn't work just as advertised.

I tried again, starting completely from sratch.

c:\localusers (root directory)

c:\localusers\laura (user dir)

FTP Site "Test" -> removed anonymous access

Virtual Dir "laura" -> c:\localusers\laura

All set, go to FTP program - login as "laura" Error 530 home directory inaccessible.

I am now pissed that this works for everyone else but not for me......

Try this:

c:\
|
|---Windows
|
|---Inetpub
|       |
|       |---wwwroot
|       |
|       |---ftproot
|       |       |
|       |       |---localusers
|       |       |      |
|       |       |      |---laura
|       |       |      |
|       |       |      |---otherLocalAccount
|       |       |      |
+      +       +      +

Make sure the FTP site points to FTPRoot.

May not even need to create a virtual directory (testing seems to show it isn't necessary).

Ensure your local users have log on locally permissions, bypass traversal checking and have at least read access on their home folder.

This should work.  :-)

Dave Dietz

NOTE that, according to three MS docs on the issue,  the folder name is supposed to be localuser not localuserS:

http://tinyurl.com/4ubmm
http://tinyurl.com/6mneo
http://tinyurl.com/6fdnw

EB

Those documents do indeed say 'localuser' and in checking my actual working configuratio I also have LocalUser.

I tried testing with 'LocalUsers' to see if the servie is smart enough to compensate and found that it does need to be 'LocalUser'.

Thank you for noticing the typo.  :-)

Dave Dietz

Hi Dave,

I just want to thank you for this post.  I had the problem as jkean, so I search Expert Exchanged for help.  I got to this post, and I have to say that your knowledge brought me out of the gutter.  Thank you so much.  I wish I can throw some points your way, but this post is already closed.

You rule, brother.


Jazon from Jacksonville, FL

Crashnet/Dave...Thanks!  

Using Localuser\username works, no need to create a virtual directory, which is good because I have a couple of power users who add acccounts using telnet and net user and I didn't want to give them actually logging into the server.

Well - I still seem to be stuck - same problem as jkean...

In order to allow anonymous access in isolated ftp site, there must be a directory named : ftproot/LocalUser/Public

DO NOT name this directory "anonymous" or anything else.
A virtual directory named "anonymous" and pointing to the folder named "Public" is not required for it to work.

I have just spent 15 minutes setting up a new FTP site, and it is necessary to follow these steps:

if you use AD isolation then you need to specify the domain name under the "directory loaction" e.g.

ftp site name :
                    ftp (descriptive name for site)
                       :root folder
                                       "domain name"

with permissions to : ftp user name read/list contents (optional write)
                             : network read/list
                             :iusr_(domain name) read/list
                             :interactive/iis_wpg/anonymous all with read/list

be sure to create the ftp user in active directory, I'm not entirely sure if log on locally rights is necessary as this is a security risk and I have tried it both with and without those permissions and it still works.  There is no browsing allowed to higher folders only their local folders.

folders under the ftp root\domain name\ should correspond to the user name!

Then restart IIS and try again.  I have proven this on two different servers now.

Thanks

Great!  What if you're not using Active Directory?

Well luckily IIS is not inseparable from Active Directory and vice versa, you can still set-up isolation mode or simply ensure that one user does not have access rights to any other folder than his own.

You can still create your users in Computer Management don't forget, then the isolation kicks in pretty much the same way as AD,

now I haven't tried it just yet on non-server, but if my notes from above hold true then the home directiory access issue can be addressed by user the server name instead of the domain name:

\server name\FTP\username :)

thanks for the feedback!