home directory inaccessible - unable to login FTP server on IIS 6.0

Hello,

take a look at the event viewer application log, and the ftp service log for further clues.

Cheers.

"530 User fred cannot log in, home directory inaccessible."

fred is a member of Administrators (for testing)

fred has explicit "full control" rights to the folder "c:\SITES\fred"

the main site:  "ftpsites" points to "C:\SITES\null"
- this is wide open with read/write permissions
- the folder is set to EVERYONE with "full control" permissions
- the user "fred" is also set to "full control" permissions

the virtual folder "fred" points to "C:\SITES\fred", the name is "fred" matches the user name "fred" (if anyone has seen this before, the behavior of IIS is such that, if a user name matches a virtual folder name, then that FTP user goes to that virtual folder.
"C:\SITES\fred" gives fred "full control" as well as the administrators group of which fred is in (temporarily anyway), this is fred's home directory.  I can give EVERYONE "full control" and the error is the same as above.

 I have several Windows 2003 servers that have been set up in this fashion (though they were all set up before SP1, applying SP1 to these had no effect on the security settings, more interesting, is that, on 2 of the servers, none of the current FTP users have the "Log On Locally" permission set and they work just fine, go figure).

To eliminate the FTP client (WS FTP) as a suspect, I can go to the server via RDP, open IIS, and find the virtual FTP folder, right-click, select "Browse" and it asks for a login and password, all accounts are rejected including the Administrator's account.  This is actually the best test for FTP login problems.

So it looks like there is a policy somewhere that is preventing any user including administrators from accessing the folders via FTP.

Silly question - have you double-checked that the default home directory for the FTP service exists and is accessible to all? The error message does not specifically mention permission failure or login faults - it complains about the home directory itself.

Also worth checking - does the system "user" IWAM/IUSR... have access rights?

I've given everyone permission to the base FTP folder and the user folder as well as the user.
Even though the other servers do not have permissions set for IWAM and IUSER and work fine, I went ahead and added those accounts with full control.  Right now all accounts have full control (modify) on the folder in question.
It's still locked down tight.

There is no domain policies as this is not a domain controller nor is it on a domain.  It was originally set up as a DHCP server, but that role was removed.

Maybe a user account is missing?
Here's all the users on the machine:
Administrator, ASP.Net, Guest, Fred, IUSER_THETA, IWAM_THETA, and SQLDebugger

Here's all the groups/users in "Allow Log On Locally" (I deleted FTPUSERS group for now until I can figure this out)
Administrators, Backup Operators, IUSR_THETA, Power Users, THETA\Fred, Users

the "C:\SITES\NULL" and "C:SITES\Fred" folders permissions:  Administrators(full),Everyone(full),Fred(full),Internet Guest Account(full),Launch IIS Process ACcount(full), SYSTEM(full), Users(full)

There must be a hidden policy somewhere that is denying access.
 I've recreated the users, re-created the FTP site.
I've verified that the "effective" permissions showing full control for "Fred" (and all users mentioned above).

Is there any way to re-set the policies to defaults?

TIA

Try opening a local FTP session - does that work? If so, is Windows Firewall getting too clever?

I tried that with several accounts.  It disallows that as well.
I wasn't sure whether I had to type in the server name too, so I tried THETA\fred and fred by itself, but it won't even let the Administrator account in.

I'm uninstalling IIS (using the configure your server wizard) and then I'll be re-installing it to see if that helps.

no, that didn't work.  if only MS would come up with a "policy reset" so reinstalling the OS would not be necessary every time something like this gets messed up.
:(

Right now I'm removing SP1 and all the updates, then I will try again. It that fails, then I have to reinstall the OS.

warning to all: do not uninstall SP1 for Windows Server 2003.  
The server is now dead... DOH!

Thanks for everyone's help, I won't be able to get back to the machine for a week or so (in a datacenter I can't get to w/o paying them 100/hr to babysit).

OMG!
I did set it to "User Isolation".   I should have read closer - it said that the User Isolation requires a subdirectory under the root.
DAng! I baked a server over sheer stupidity.  I should be fired (oh wait, I'm the boss... maybe I should hang up developing for the web and just raise chickens or something :>)   or a person w/o "A.D.D.".

The other servers worked in that mode because all of the virtual directories were subdirectories of the root FTP.
 

The simple straight answer:  

If the FTP user account is on a Domain Controller AND User IIS 6 FTP Isolation Mode is enabled, then you just need to set up the directory structure:  

c:\inetpub\ftproot\<domain>\<username>  

If the IIS 6 FTP server is a standalone or member server AND the FTP user account is a local account on the server, then set up the home directory directory structure as:

c:\inetpub\ftproot\localuser\<username>