Creating a New FTP Site with Isolate Users Using Active Directory Mode (IIS 6.0)

Isolate users using Active Directory mode authenticates user credentials against a corresponding Active Directory container, rather than searching the entire Active Directory, which requires large amounts of processing time.


This mode requires an Active Directory server running on an operating system in the Windows Server 2003 family. A Windows 2000 Active Directory can also be used but requires manual extension of the User Object schema. To learn more about setting up an Active Directory server, see Help and Support Center for Windows Server 2003.

Specific FTP server instances can be dedicated to each customer to ensure data integrity and isolation. When a user's object is located within the Active Directory container, the msIIS-FTPRoot and msIIS-FTPDir properties are extracted to provide the full path to the user's home directory. If the FTP service can successfully access the path, the user is placed within the home directory, which represents the FTP root location. The user sees only their FTP root location and is, therefore, restricted from navigating higher up the directory tree. The user is denied access if either the msIIS-FTPRoot or msIIS-FTPDir property do not exist, or, if these two together do not form a valid and accessible path.

Important   You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".

To create FTP sites with Isolate users using Active Directory mode


In IIS Manager, click the local computer, right-click the FTP Sites folder, point to New, and click FTP Site.


In the Welcome to the FTP Site Creation Wizard, click Next.


In FTP Site Description, type a description for the FTP site, and then click Next.


In IP Address and Port Settings, type an IP address and port, and then click Next.


In FTP User Isolation, click Isolate users using Active Directory, and then click Next.


In the User name text box, type the user name, using the Domain\User format, or browse to the user name. Choose a user with minimal domain privileges. This user name is used to access Active Directory and read the home directory properties.


In the Password text box, type the password of the user.


In the Enter the default Active Directory domain text box, type or browse to the default domain name.


This domain name is used for the users who do not specify their user domain when they log on. In other words, a user connecting with the user name Domain1\User1 is authenticated against Domain1, while a user connecting as User2 is authenticated against the default logon domain. If a default domain is not named and a user does not specify a domain name, access is denied for all but anonymous users. Type the base domain name only, not the fully qualified name. For example, type MyDomain, not


Click Next. You are prompted to re-enter the password for the user entered in the previous steps.


Enable the Read and Write permissions as appropriate, and then click Next, and click Finish.

Related Information

For more information about FTP user isolation, see Hosting Multiple FTP Sites with FTP User Isolation.

© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies