none
help needed about "ftp home directory configured in active directory "

    Question

  • hi all

    i have a question and i have asked that from many mcitp trainers  but nobody knows a good answer. and also i have asked that here in forum but i didn't result.   i will be exponentially greatfull to someone which describe me which steps should i do in turn.

    my question is :

    i have a domain called : MyDomain.local .  i  have for example 10 users in my domain which are named U1 , U2, U3 , ....   also  i  have deployed a win 2008 R2 sp1 ftp server and joined it to my domain. now via IIS console , i want to deploy ftp user isolation by using  " ftp home directory configured in active directory " feature (which exist in ftp user isolation section ).

    i know what is ftp user isolation but i don't know what does exactly this feature " ftp home directory configured in active directory "  do !!

    may someone tell me what this feature do ( in simple words please )

    my second ask is may someone please tell me which steps should i do in turn  ( the whole process for deploying ftp user isolation by using " ftp home directory configured in active directory" ) ?

    for example if possible , please describe me the steps like the following pattern ( or if not possible , so please check my following steps and tell me where i am wrong and  any what corrections should i do )      :-)

    1- in my ftp site root folder, should i create a folder named U1 or first i should create a general folder ( which it's name is the same as mydomain netbios name )?

    2 - in Adsiedit.msc console , in the propertis of U1 user account , in msIIS-FTPDir and msIIS-FTPRoot attributes of U1 user account, what should i write ?

    3 - in ftp server when i select ftp home directory configured in active directory " and select "set" button , the system asks me for username and password.  which username and passwordshould i write here ? ( domain admin username or password or the user name and password of ftp server local administrator ?

    4 - after doing these steps what happens ? does something will be added to the properties of that user account ( U1 ? )   does he see a maped network drive when he loges in to domain with his domain username and password ?  

    are there any additional required  steps that i don't know ?

    thank you very very much :-)




    • Edited by john.s2011 Sunday, January 01, 2012 5:42 AM
    Sunday, January 01, 2012 5:35 AM

Answers

  • i know what is ftp user isolation but i don't know what does exactly this feature " ftp home directory configured in active directory" do !!

    may someone tell me what this feature do ( in simple words please )

    It doesn't sound like, or I'm not sure if you have any experience with any of the other FTP servers on the market, but they all work with a "Home Folder" attribute or setting that you set for each user. One example I used to use heavily in the past, along side IIS when I was running websites, is Serv-U FTP. Very powerful, it offers numerous features, including bandwidth throttling per user, permissions to download based on uploaded bandwidth, upload/download precentages, home folder, etc. The home folder is the folder the FTP server connects the user to when they connect. We can either "Lock" them into the folder so they can't see any other folder, or don't lock it, so they can manually traverse back to the root of C:, D:, etc, which of course I never let them.

    Besides Serv-U, other FTP servers include SmartFTP, CuteFTP, CoreFTP, and others.

     

     

    1- in my ftp site root folder, should i create a folder named U1 or first i should create a general folder ( which it's name is the same as mydomain netbios name )?

    The beauty of it is you do not have to create a directory for each account. You create one "root" folder anywhere  you like. Thi is the general folder you referred to.  I would create a subfolder (example) called "FTP Root Folder" on C: drive, D: drive, etc. Then you specify that in the IIS Isolation configuration specifying their AD account settings. Once you do that, they log in, they are stuck in that folder.

    Configuring FTP User Isolation (look at the sub links for specific steps):
    http://technet.microsoft.com/en-us/library/dd464015(WS.10).aspx

     

    2 - in Adsiedit.msc console , in the propertis of U1 user account , in msIIS-FTPDir and msIIS-FTPRoot attributes of U1 user account, what should i write ?

    You don't need ADSI Edit if you have Windows 2008 R2 DC. You can use the Attribute Editor tab of the AD user account properties.

    See the screenshots in this link:
    Configure AD FTP user attributes, Testing, Troubleshooting.
    http://www.iislogs.com/articles/adftparticle/step4_PostConfig/

     

    3 - in ftp server when i select ftp home directory configured in active directory " and select "set" button , the system asks me for username and password. which username and passwordshould i write here ? ( domain admin username or password or the user name and password of ftp server local administrator ?

    That's the account IIS will use to access the operating sytem folder structure. Create your own. Don't use the administrator account. Look at the configuration steps in this link:

    How to configure FTP User Isolation with Active Directory by Steve Schofield
    http://www.iislogs.com/articles/adftparticle/

     

    4 - after doing these steps what happens ? does something will be added to the properties of that user account ( U1 ? ) does he see a maped network drive when he loges in to domain with his domain username and password ?

    SO when they log in, what they see is the root of the folder they are logged in to, or the folder they are in. They can create, modify, delete anything in there because it's their folder. They will not have the ability to look at any other folders in the operating system.

    This way, when the user logs in using FTP, they will not "see" a home folder, such as logging into AD with their Windows workstations such as seeing a mapped drive created from a logon script or something, rather when they log in, what they see in front of them IS the home folder. Keep in mind, they will be using an FTP app, such as WSFTP, FileZilla client, It's one of the changes that were made with FTP 7.0 in IIS 7/7.5, and it works the same way, except that you have the ability to use the user's AD account settings to set the FTP Home FOlder.

     

    are there any additional required steps that i don't know ?

    PDF: Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0):
    "This article will take you step by step to show you how to create FTP Users ... FTP site setup using the FTP Site Creation Wizard. You can use ... parameter, specify either AD, for Active Directory isolation, or Local, for local isolation."
    http://www.fullcontrol.net/qsa/ftpisolation.pdf

    See some the link Tiger posted, too.

     

    I had a more elaborate post the other day, but inadvertently deleted it when I tried to fix the formatting. I hope you find this helpful.

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Tuesday, January 03, 2012 4:43 AM
  • I'm surprised the links don't work. have you tried to copy and paste the link into a separate browser? The links explain exactly what to type in.

     

    ==============================
    Below is the whole website from the first link:
    (http://www.iislogs.com/articles/adftparticle/step4_PostConfig/):

    Configure AD FTP user attributes, Testing, Troubleshooting.

    On the domain controller, use ADSIEdit.msc and adjust the user properties.

    This is something you should treat very seriously, using ADSIEDIT.msc is the 'registry editor' of the AD database. If you are unsure how to edit Attributes, consult your AD administrator. You'll do this setting for each user. This could be scripted using Powershell, ADSI. We strongly suggest you do this in a non-production environment before attempting to deploy in your production environment.
    •msIIS-FTPDir - ADFtpUser1
    •msIIS-FTPRoot - \\Server1\ADFTPHome
    •Powershell 1.0 script to do update the attributes (http://tinyurl.com/8nprch )

    Test externally with FTP client.
    •CoreFTP (www.coreftp.com)
    •FileZilla (http://filezilla-project.org/)
    •SmartFTP ( www.smartftp.com )

    Here is sample output

    Notice the bolded section, user, PASV, port

    Connect socket #1580 to 192.168.0.68, port 21...
    220 Microsoft FTP Service
    USER ADFTPUser1
    331 Password required for ADFTPUser1.
    PASS **********
    230 User logged in.
    SYST
    215 Windows_NT
    Keep alive off...
    PWD
    257 "/" is current directory.
    PASV
    227 Entering Passive Mode (192,168,0,68,19,39).
    LIST
    Connect socket #1568 to 192.168.0.68, port 4903...
    125 Data connection already open; Transfer starting.
    226 Transfer complete.
    Transferred 57 bytes in 0.008 seconds

    Troubleshooting

    If you get 530 User cannot log in, home directory inaccessible.
    •Make sure you set the Default Domain in the BASIC FTP authentication module, see step 3
    •Make sure the AD attributes are setup properly, see step 4

    If you can't connect with PASV settings
    •The External or Windows firewall PASV settings are configured, see step 3

    Make sure the ADFTPReadOnly has READ permissions on the OU (organizational unit) in Active Directory. The user doesn't need to be a Domain Admin.

     

     

     

     

     

     

     

    ============================

    Below is the whole website from the second link
    http://www.iislogs.com/articles/adftparticle/

     

    How to configure FTP User Isolation with Active Directory by Steve Schofield

    This article covers how to setup two Active Directory users using the FTP 7.0 publishing service. I was unable to find a resource that showed basic steps to get started. The article is broken into multiple steps, each being dependent on previous steps. We are assuming you are familiar with Active Directory, IIS / FTP installation and configuration. Most likely, you'll need to engage your Active Directory administrator for certain steps. The article is a beginning to being able to implement additional items such as FTP over SSL, lockdown the folders to just specific users / groups.

    Assumptions
    •The FTP server is Windows Server 2008
    •The FTP service is 7.0 with the rollup hotfix (KB955136)
    •All users are stored in Active Directory.

    Test environment.
    •Windows Server 2008 Active Directory native mode
    •Windows Server 2008 FTP server is member server in AD

    Initial Active Directory steps

     Create Active Directory users
    •ADFtpUser1
    •ADFtpUser2
    •ADFTPReadOnly (this will be used by the FTP service to read the AD attributes. It doesn't need to be a Domain Admin)

    Create Active Directory Global security group
    •ADFtpUsers

    Install FTP Service
    •Click Here for the article
    http://www.iislogs.com/articles/adftparticle/step1_InstallFTPService/

    Configure folder system
    •Click here for the article
    http://www.iislogs.com/articles/adftparticle/step2_ConfigureFolderSystem/

    Create and Configure FTP Site
    •Click here for the article
    http://www.iislogs.com/articles/adftparticle/step2_ConfigureFolderSystem/

    Post configuration, testing and troubleshooting
    •Click here for the article
     http://www.iislogs.com/articles/adftparticle/step4_PostConfig/

     

    We hope you find this article useful.

    Thank you,

     Steve Schofield
     Windows Server MVP - IIS
     http://weblogs.asp.net/steveschofield

    http://www.IISLogs.com
     Log archival solution
     Install, Configure, Forget


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Tuesday, January 03, 2012 7:42 PM

All replies

  • Hi John,

     

    Thanks for posting here.

     

    If have read the explications in the article below then we should understand this feature is try to prevent other users can view or overwrite content that belongs to current user. Otherwise users will share a same folder together when they logon the FTP site:

     

    Configuring FTP User Isolation in IIS 7

    http://learn.iis.net/page.aspx/305/configuring-ftp-user-isolation-in-iis-7/

     

    For more information please post to IIS forum in order to get most qualified pool of respondents:

     

    http://forums.iis.net/

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, January 02, 2012 7:41 AM
  • I had a post that I submitted, but the formatting was skewed. I accidentally deleted it trying to fix the formatting. If either John or Tiger can copy the data from your email notification, and paste/post it back, that would be very much appreciated!

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, January 02, 2012 4:34 PM
  • I had a post that I submitted, but the formatting was skewed. I accidentally deleted it trying to fix the formatting. If either John or Tiger can copy the data from your email notification, and paste/post it back, that would be very much appreciated!

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    do you mean this post Ace :

    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/7e459d76-7ead-4c51-8402-519b5be8ed2b

    Monday, January 02, 2012 6:37 PM
  • No, it was in this thread. It was an elaborate post with many links. YOu can see the "deleted" icon above. I'm surprised you didn't see an email notification for it.

    Anyway, if you didn't get the email notification with my post before I deleted it, Tiger gave you a link to follow up on.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Monday, January 02, 2012 6:57 PM
  • i know what is ftp user isolation but i don't know what does exactly this feature " ftp home directory configured in active directory" do !!

    may someone tell me what this feature do ( in simple words please )

    It doesn't sound like, or I'm not sure if you have any experience with any of the other FTP servers on the market, but they all work with a "Home Folder" attribute or setting that you set for each user. One example I used to use heavily in the past, along side IIS when I was running websites, is Serv-U FTP. Very powerful, it offers numerous features, including bandwidth throttling per user, permissions to download based on uploaded bandwidth, upload/download precentages, home folder, etc. The home folder is the folder the FTP server connects the user to when they connect. We can either "Lock" them into the folder so they can't see any other folder, or don't lock it, so they can manually traverse back to the root of C:, D:, etc, which of course I never let them.

    Besides Serv-U, other FTP servers include SmartFTP, CuteFTP, CoreFTP, and others.

     

     

    1- in my ftp site root folder, should i create a folder named U1 or first i should create a general folder ( which it's name is the same as mydomain netbios name )?

    The beauty of it is you do not have to create a directory for each account. You create one "root" folder anywhere  you like. Thi is the general folder you referred to.  I would create a subfolder (example) called "FTP Root Folder" on C: drive, D: drive, etc. Then you specify that in the IIS Isolation configuration specifying their AD account settings. Once you do that, they log in, they are stuck in that folder.

    Configuring FTP User Isolation (look at the sub links for specific steps):
    http://technet.microsoft.com/en-us/library/dd464015(WS.10).aspx

     

    2 - in Adsiedit.msc console , in the propertis of U1 user account , in msIIS-FTPDir and msIIS-FTPRoot attributes of U1 user account, what should i write ?

    You don't need ADSI Edit if you have Windows 2008 R2 DC. You can use the Attribute Editor tab of the AD user account properties.

    See the screenshots in this link:
    Configure AD FTP user attributes, Testing, Troubleshooting.
    http://www.iislogs.com/articles/adftparticle/step4_PostConfig/

     

    3 - in ftp server when i select ftp home directory configured in active directory " and select "set" button , the system asks me for username and password. which username and passwordshould i write here ? ( domain admin username or password or the user name and password of ftp server local administrator ?

    That's the account IIS will use to access the operating sytem folder structure. Create your own. Don't use the administrator account. Look at the configuration steps in this link:

    How to configure FTP User Isolation with Active Directory by Steve Schofield
    http://www.iislogs.com/articles/adftparticle/

     

    4 - after doing these steps what happens ? does something will be added to the properties of that user account ( U1 ? ) does he see a maped network drive when he loges in to domain with his domain username and password ?

    SO when they log in, what they see is the root of the folder they are logged in to, or the folder they are in. They can create, modify, delete anything in there because it's their folder. They will not have the ability to look at any other folders in the operating system.

    This way, when the user logs in using FTP, they will not "see" a home folder, such as logging into AD with their Windows workstations such as seeing a mapped drive created from a logon script or something, rather when they log in, what they see in front of them IS the home folder. Keep in mind, they will be using an FTP app, such as WSFTP, FileZilla client, It's one of the changes that were made with FTP 7.0 in IIS 7/7.5, and it works the same way, except that you have the ability to use the user's AD account settings to set the FTP Home FOlder.

     

    are there any additional required steps that i don't know ?

    PDF: Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0):
    "This article will take you step by step to show you how to create FTP Users ... FTP site setup using the FTP Site Creation Wizard. You can use ... parameter, specify either AD, for Active Directory isolation, or Local, for local isolation."
    http://www.fullcontrol.net/qsa/ftpisolation.pdf

    See some the link Tiger posted, too.

     

    I had a more elaborate post the other day, but inadvertently deleted it when I tried to fix the formatting. I hope you find this helpful.

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Tuesday, January 03, 2012 4:43 AM
  • i know what is ftp user isolation but i don't know what does exactly this feature " ftp home directory configured in active directory" do !!

    may someone tell me what this feature do ( in simple words please )

    It doesn't sound like, or I'm not sure if you have any experience with any of the other FTP servers on the market, but they all work with a "Home Folder" attribute or setting that you set for each user. One example I used to use heavily in the past, along side IIS when I was running websites, is Serv-U FTP. Very powerful, it offers numerous features, including bandwidth throttling per user, permissions to download based on uploaded bandwidth, upload/download precentages, home folder, etc. The home folder is the folder the FTP server connects the user to when they connect. We can either "Lock" them into the folder so they can't see any other folder, or don't lock it, so they can manually traverse back to the root of C:, D:, etc, which of course I never let them.

    Besides Serv-U, other FTP servers include SmartFTP, CuteFTP, CoreFTP, and others.

     

     

    1- in my ftp site root folder, should i create a folder named U1 or first i should create a general folder ( which it's name is the same as mydomain netbios name )?

    The beauty of it is you do not have to create a directory for each account. You create one "root" folder anywhere  you like. Thi is the general folder you referred to.  I would create a subfolder (example) called "FTP Root Folder" on C: drive, D: drive, etc. Then you specify that in the IIS Isolation configuration specifying their AD account settings. Once you do that, they log in, they are stuck in that folder.

    Configuring FTP User Isolation (look at the sub links for specific steps):
    http://technet.microsoft.com/en-us/library/dd464015(WS.10).aspx

     

    2 - in Adsiedit.msc console , in the propertis of U1 user account , in msIIS-FTPDir and msIIS-FTPRoot attributes of U1 user account, what should i write ?

    You don't need ADSI Edit if you have Windows 2008 R2 DC. You can use the Attribute Editor tab of the AD user account properties.

    See the screenshots in this link:
    Configure AD FTP user attributes, Testing, Troubleshooting.
    http://www.iislogs.com/articles/adftparticle/step4_PostConfig/

     

    3 - in ftp server when i select ftp home directory configured in active directory " and select "set" button , the system asks me for username and password. which username and passwordshould i write here ? ( domain admin username or password or the user name and password of ftp server local administrator ?

    That's the account IIS will use to access the operating sytem folder structure. Create your own. Don't use the administrator account. Look at the configuration steps in this link:

    How to configure FTP User Isolation with Active Directory by Steve Schofield
    http://www.iislogs.com/articles/adftparticle/

     

    4 - after doing these steps what happens ? does something will be added to the properties of that user account ( U1 ? ) does he see a maped network drive when he loges in to domain with his domain username and password ?

    SO when they log in, what they see is the root of the folder they are logged in to, or the folder they are in. They can create, modify, delete anything in there because it's their folder. They will not have the ability to look at any other folders in the operating system.

    This way, when the user logs in using FTP, they will not "see" a home folder, such as logging into AD with their Windows workstations such as seeing a mapped drive created from a logon script or something, rather when they log in, what they see in front of them IS the home folder. Keep in mind, they will be using an FTP app, such as WSFTP, FileZilla client, It's one of the changes that were made with FTP 7.0 in IIS 7/7.5, and it works the same way, except that you have the ability to use the user's AD account settings to set the FTP Home FOlder.

     

    are there any additional required steps that i don't know ?

    PDF: Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0):
    "This article will take you step by step to show you how to create FTP Users ... FTP site setup using the FTP Site Creation Wizard. You can use ... parameter, specify either AD, for Active Directory isolation, or Local, for local isolation."
    http://www.fullcontrol.net/qsa/ftpisolation.pdf

    See some the link Tiger posted, too.

     

    I had a more elaborate post the other day, but inadvertently deleted it when I tried to fix the formatting. I hope you find this helpful.

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    thank you very very much Ace , that was very kind of you /  your are a great trainer / your explanations are excellent /    :-)

    but one problem ,  these 2 links doesn't word ( are not displayed)  :

    http://www.iislogs.com/articles/adftparticle/step4_PostConfig/

    http://www.iislogs.com/articles/adftparticle/

     

    so please if possible answer one of my old question :

    so in the propertis of U1 user account , in msIIS-FTPDir and msIIS-FTPRoot attributes of U1 user account, what should i write ?  ( give me please an example , for example my ftp server ip address is  192.168.1.1 .  i created a root folder for ftp nd called it "ftp-root".  my domain controller ip adress is 192.168.1.2  

    so for my domain user account called "user1" , in the msIIS-FTPDir and msIIS-FTPRoot attributes of U1 user account, what should i write ?  ( \\192.168.1.1\ftp-root  )  ?  ( should i share that ftp-root folder ?  )

    thanks a lot

     

     


    • Edited by john.s2011 Tuesday, January 03, 2012 6:55 AM
    Tuesday, January 03, 2012 6:37 AM
  • I'm surprised the links don't work. have you tried to copy and paste the link into a separate browser? The links explain exactly what to type in.

     

    ==============================
    Below is the whole website from the first link:
    (http://www.iislogs.com/articles/adftparticle/step4_PostConfig/):

    Configure AD FTP user attributes, Testing, Troubleshooting.

    On the domain controller, use ADSIEdit.msc and adjust the user properties.

    This is something you should treat very seriously, using ADSIEDIT.msc is the 'registry editor' of the AD database. If you are unsure how to edit Attributes, consult your AD administrator. You'll do this setting for each user. This could be scripted using Powershell, ADSI. We strongly suggest you do this in a non-production environment before attempting to deploy in your production environment.
    •msIIS-FTPDir - ADFtpUser1
    •msIIS-FTPRoot - \\Server1\ADFTPHome
    •Powershell 1.0 script to do update the attributes (http://tinyurl.com/8nprch )

    Test externally with FTP client.
    •CoreFTP (www.coreftp.com)
    •FileZilla (http://filezilla-project.org/)
    •SmartFTP ( www.smartftp.com )

    Here is sample output

    Notice the bolded section, user, PASV, port

    Connect socket #1580 to 192.168.0.68, port 21...
    220 Microsoft FTP Service
    USER ADFTPUser1
    331 Password required for ADFTPUser1.
    PASS **********
    230 User logged in.
    SYST
    215 Windows_NT
    Keep alive off...
    PWD
    257 "/" is current directory.
    PASV
    227 Entering Passive Mode (192,168,0,68,19,39).
    LIST
    Connect socket #1568 to 192.168.0.68, port 4903...
    125 Data connection already open; Transfer starting.
    226 Transfer complete.
    Transferred 57 bytes in 0.008 seconds

    Troubleshooting

    If you get 530 User cannot log in, home directory inaccessible.
    •Make sure you set the Default Domain in the BASIC FTP authentication module, see step 3
    •Make sure the AD attributes are setup properly, see step 4

    If you can't connect with PASV settings
    •The External or Windows firewall PASV settings are configured, see step 3

    Make sure the ADFTPReadOnly has READ permissions on the OU (organizational unit) in Active Directory. The user doesn't need to be a Domain Admin.

     

     

     

     

     

     

     

    ============================

    Below is the whole website from the second link
    http://www.iislogs.com/articles/adftparticle/

     

    How to configure FTP User Isolation with Active Directory by Steve Schofield

    This article covers how to setup two Active Directory users using the FTP 7.0 publishing service. I was unable to find a resource that showed basic steps to get started. The article is broken into multiple steps, each being dependent on previous steps. We are assuming you are familiar with Active Directory, IIS / FTP installation and configuration. Most likely, you'll need to engage your Active Directory administrator for certain steps. The article is a beginning to being able to implement additional items such as FTP over SSL, lockdown the folders to just specific users / groups.

    Assumptions
    •The FTP server is Windows Server 2008
    •The FTP service is 7.0 with the rollup hotfix (KB955136)
    •All users are stored in Active Directory.

    Test environment.
    •Windows Server 2008 Active Directory native mode
    •Windows Server 2008 FTP server is member server in AD

    Initial Active Directory steps

     Create Active Directory users
    •ADFtpUser1
    •ADFtpUser2
    •ADFTPReadOnly (this will be used by the FTP service to read the AD attributes. It doesn't need to be a Domain Admin)

    Create Active Directory Global security group
    •ADFtpUsers

    Install FTP Service
    •Click Here for the article
    http://www.iislogs.com/articles/adftparticle/step1_InstallFTPService/

    Configure folder system
    •Click here for the article
    http://www.iislogs.com/articles/adftparticle/step2_ConfigureFolderSystem/

    Create and Configure FTP Site
    •Click here for the article
    http://www.iislogs.com/articles/adftparticle/step2_ConfigureFolderSystem/

    Post configuration, testing and troubleshooting
    •Click here for the article
     http://www.iislogs.com/articles/adftparticle/step4_PostConfig/

     

    We hope you find this article useful.

    Thank you,

     Steve Schofield
     Windows Server MVP - IIS
     http://weblogs.asp.net/steveschofield

    http://www.IISLogs.com
     Log archival solution
     Install, Configure, Forget


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn
    Tuesday, January 03, 2012 7:42 PM