• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 189
  • Last Modified:

FTP Granular Permissions for subfolders

I have an SBS server with Windows FTP and User Isolation configured.  When our client has a new client that needs access, we typically create a new user in AD, then use ADSIEDIT to modify the MSIISFTPROOT and MSIISFTPDIR properties to specify a home folder.  They have many users and clients now with this solution and it's been working great so far.  

Now they have a new client that wants to create subfolders in their home directory, and they want these subfolders to have granular permissions so that only certain individuals can access the subfolders.  Something like this:

User A, B, C, D, and E
Home Folder
Sub Folder 1, 2, 3, and 4

Home Folder has User ABCDE access
Sub 1 has User ACE access
Sub 2 has User ABC access
Sub 3 has User BDE access
Sub 4 has User ACDE access

Can this be done?  How would I accomplish assigning granular permissions to this?  I understand that I would need to give this particular client multiple user access accounts instead of a single account.

Thanks in advance!
0
ccptechs
Asked:
ccptechs
  • 3
1 Solution
 
Dan McFaddenSystems EngineerCommented:
Yes, it can be done.  I would:

1. create the 5 new users
2. create 1 group that correlates to each sub folder
3. create the home folder
4. grant the 5 users NTFS Read permissions on the home folder
5. grant the group that corresponds to the specific sub folder the permissions specified by the client.
6. add the necessary user accounts to the various groups as per the client

This way you don't have to constantly play with the NTFS permissions.  Assign each group the needed NTFS permissions and then only update the membership of the group to grant access.

Dan
0
 
Dan McFaddenSystems EngineerCommented:
Using your example:

User A, B, C, D, and E
Home Folder
Sub Folder 1, 2, 3, and 4

create Sub-Folder-1 group, grant User ACE membership
create Sub-Folder-2 group, grant User ABC membership
create Sub-Folder-3 group, grant User BDE membership
create Sub-Folder-4 group, grant User ACDE membership

Home Folder has User ABCDE access
Sub 1 has group Sub-Folder-1 has access
Sub 2 has group Sub-Folder-2 has access
Sub 3 has group Sub-Folder-3 has access
Sub 4 has group Sub-Folder-4 has access

You could also create a group for the Home Folder using the same concept.  This way if the client adds additional accounts, just grant the user membership in the Home Folder group and the requires sub folder groups.

Dan
0
 
ccptechsAuthor Commented:
Okay, so create the 5 or however many accounts required, and create the home folder.  Assign the home folder using ADSIEDIT.

Then use standard NTFS security groups and permissions for the sub folders?  And that works over FTP?  I presume i'll need to un-check the inheritable permissions tab or is that not necessary?  Seems like if I grant READ access to the top level, users would inherit that and be able to read the sub-directories as well?
0
 
Dan McFaddenSystems EngineerCommented:
Of course NTFS permissions work for FTP.  FTP uses the file system and must conform to the granted file system access list.

Yes, no need to allow inheritable permissions.  The directory tree under the Home Folder will have at least READ for all users of the whole client group, then the sub-folders will have different access lists based on the client's requirements.

Dan
0
 
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now