FTP Granular Permissions for subfolders

I have an SBS server with Windows FTP and User Isolation configured.  When our client has a new client that needs access, we typically create a new user in AD, then use ADSIEDIT to modify the MSIISFTPROOT and MSIISFTPDIR properties to specify a home folder.  They have many users and clients now with this solution and it's been working great so far.  

Now they have a new client that wants to create subfolders in their home directory, and they want these subfolders to have granular permissions so that only certain individuals can access the subfolders.  Something like this:

User A, B, C, D, and E
Home Folder
Sub Folder 1, 2, 3, and 4

Home Folder has User ABCDE access
Sub 1 has User ACE access
Sub 2 has User ABC access
Sub 3 has User BDE access
Sub 4 has User ACDE access

Can this be done?  How would I accomplish assigning granular permissions to this?  I understand that I would need to give this particular client multiple user access accounts instead of a single account.

Thanks in advance!
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
Yes, it can be done.  I would:

1. create the 5 new users
2. create 1 group that correlates to each sub folder
3. create the home folder
4. grant the 5 users NTFS Read permissions on the home folder
5. grant the group that corresponds to the specific sub folder the permissions specified by the client.
6. add the necessary user accounts to the various groups as per the client

This way you don't have to constantly play with the NTFS permissions.  Assign each group the needed NTFS permissions and then only update the membership of the group to grant access.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dan McFaddenSystems EngineerCommented:
Using your example:

User A, B, C, D, and E
Home Folder
Sub Folder 1, 2, 3, and 4

create Sub-Folder-1 group, grant User ACE membership
create Sub-Folder-2 group, grant User ABC membership
create Sub-Folder-3 group, grant User BDE membership
create Sub-Folder-4 group, grant User ACDE membership

Home Folder has User ABCDE access
Sub 1 has group Sub-Folder-1 has access
Sub 2 has group Sub-Folder-2 has access
Sub 3 has group Sub-Folder-3 has access
Sub 4 has group Sub-Folder-4 has access

You could also create a group for the Home Folder using the same concept.  This way if the client adds additional accounts, just grant the user membership in the Home Folder group and the requires sub folder groups.

ccptechsAuthor Commented:
Okay, so create the 5 or however many accounts required, and create the home folder.  Assign the home folder using ADSIEDIT.

Then use standard NTFS security groups and permissions for the sub folders?  And that works over FTP?  I presume i'll need to un-check the inheritable permissions tab or is that not necessary?  Seems like if I grant READ access to the top level, users would inherit that and be able to read the sub-directories as well?
Dan McFaddenSystems EngineerCommented:
Of course NTFS permissions work for FTP.  FTP uses the file system and must conform to the granted file system access list.

Yes, no need to allow inheritable permissions.  The directory tree under the Home Folder will have at least READ for all users of the whole client group, then the sub-folders will have different access lists based on the client's requirements.

Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
File Sharing Software

From novice to tech pro — start learning today.