November 2010 (1)
August 2010 (1)
July 2010 (1)
June 2010 (3)
July 2009 (3)
June 2009 (1)
May 2009 (1)
February 2009 (1)
January 2009 (1)
November 2008 (3)
October 2008 (4)
September 2008 (9)
August 2008 (6)
July 2008 (3)
June 2008 (3)
January 2008 (1)
November 2007 (2)
October 2007 (6)
September 2007 (5)
August 2007 (22)
July 2007 (6)
June 2007 (1)
May 2007 (3)
April 2007 (27)
March 2007 (8)
February 2007 (6)
September 2006 (2)
August 2006 (4)
July 2006 (9)
June 2006 (17)
May 2006 (20)
April 2006 (12)
March 2006 (9)
February 2006 (4)
January 2006 (3)
December 2005 (2)
November 2005 (4)
October 2005 (5)
September 2005 (37)
August 2005 (83)
July 2005 (6)

Active Directory / LDAP (0)
ASP.Net (19)
Blackberry Development (4)
c# (34)
c++ (3)
Code Camp (1)
Excel (1)
Exchange (3)
Front Page 2003 (6)
FTP User Editor (4)
IIS (146)
IIS - Log Parser (7)
IIS / FTP (12)
IIS / Tools / Administration (42)
IIS / Tools / Authentication (6)
IIS / Tools / Compression (8)
IIS / Tools / Crash & Hang (12)
IIS / Tools / ISAPI Filters (17)
IIS / Tools / Log Files (17)
IIS / Tools / Scripts (28)
IIS / Tools / Security (9)
IIS / Tools / SSL (6)
IIS 7 (3)
Internet Information Server (1)
Me (Chris Crowe) (6)
MIME Types (1)
Misc (72)
Oulook Express (2)
Silverlight (1)
SQL Server (27)
SQL Server CTE (1)
Vista (15)
Vista Gadgets (8)
Visual Studio (11)
Voice over BroadBand (1)
Windows (33)
Windows Powershell (3)
Windows Sharepoint Services (0)
Windows Sharepoint Services (15)
Windows Vista (14)
Wine Cellar (1)
WMI (8)
FTP User Editor (4)

FTP User Editor

Changing the default FTP site to Isolate Users using Active Directory

If you have installed the FTP server for IIS 6 you will notice that it is not configured to isolate users either locally or by using Active Directory and that there is no UI to enable this!

There are two ways to change user isolation:

  1. Create a new FTP site and configure it then.
  2. Adjust the IIS Metabase properties using a script

Option #1 above is quite simply and does not really need any explaining. Just create a new FTP site and follow the promtps.

Option #2 is where this article is going to concentrate on.

We can either write a simple ADSI/WMI script or we can use the adsutil.VBS script - we are going to concentrate on the adsutil.VBS script.

First things is how does IIS determine the user isolation mode?

IIS uses a metabase property called UserIsolationMode to control user isolation in association with ADConnectionsUserName, ADConnectionsPassword and DefaultLogonDomain properties.


The UserIsolationMode can only be one of the following values.

  • 0 = Not Isolated
  • 1 = Isolated (Locally)
  • 2 = Isolated using Active Directory

When UserIsolationMode = 0

There is no user isolation in this mode, this is the default setting.

When UserIsolationMode = 1

When a client authenticates using local or domain accounts and is then sent to a folder under the root that matches the user name. This setting is called "Isolated (Locally)," and it supports users who do not want to use Active Directory.

When UserIsolationMode = 2

User isolation is dependent on Active Directory. This setting is called "Isolated (Active Directory)," and it is primarily used by Internet service providers (ISPs) and other customers who want to set up large numbers of FTP accounts.

When using this mode the following properties must also be configured.

  • ADConnectionsUserName
  • ADConnectionsPassword
  • DefaultLogonDomain.

The ADConnectionsUserName specifies the user account ( without Domain ) that will be used to communicate with Active Directory to read the ms-IIS-FTP-Dir and ms-IIS-FTP-Root Active Directory attributes. The ADConnectionsPassword simply specifies the Password for the Username and the DefaultLogonDomain is the domain for the user account. 

Note: The UserIsolationMode key is by default not set in the IIS metabase for the default FTP site and defaults to a value of 0 (Not Isolated)


Using ADSUTIL.VBS to change to Active Directory User Isolation Mode

Adsutil.vbs is installed into c:\inetpub\adminscripts by default.

We will make the following assumptions for setting up User Isolation

  • We have backed up the IIS Metabase using the UI - if you have not DO IT NOW! 
    ( Open IIS Manager, Right click Server Name, All Properties, Backup/Restore configuration)
  • We are going to change the default FTP site user isolation mode.
  • We are going to Isolate users using Active Directory.
  • We are going to use an account of TestDomain\TestUserName to gain access to Active Directory with a password of $Password_

To determine the current user isolation mode we will run the following command from a CMD.EXE prompt.

cscript adsutil.vbs get MSFTPSVC/1/UserIsolationMode

Note: In the above code we see that the value is not set! this is the default for the Default FTP Site

To set the UserIsolationMode to 2 which is Active Directory Isolation we issue the following command.

cscript adsutil.vbs set MSFTPSVC/1/UserIsolationMode 2

Note: The result is that we have now configured the default FTP site to use Active Directory Isolation (2)

But: We have not configured any credentials to be used to allow the server to talk to Active Directory yet!

We now need to configure the user account that will be used to communicate with Active Directory

The following commands will do this

cscript adsutil.vbs set MSFTPSVC/1/ADConnectionsUserName TestUserName
cscript adsutil.vbs set MSFTPSVC/1/ADConnectionsPassword $Password_
cscript adsutil.vbs set MSFTPSVC/1/DefaultLogonDomain TestDomain

If you now right clicked on the default FTP site in the IIS Manager and selected properties you would see that it is different.

Active Directory Isolation   Default - No User Isolation


To restore the UserIsolationMode to the default, which is 0 we simply issue the following command.

cscript adsutil.vbs set MSFTPSVC/1/UserIsolationMode 0


A free FTP User Account Editor for Active Directory

The following application is free and comes with full source code written in c#. You can use this application to easily configure the ms-IIS-FTP-Root and ms-IIS-FTP-Dir Active Directory attributes for 1 or more users using a very simple UI.

To read more or to download the application see this blog post -

Some additional references::

FTP User Editor for Active Directory (Updated)

The FTP User Editor for Microsoft Active Directory has been updated a fix a couple of problems.


  • There was a limit of 1000 objects being returned from the Active Directory - increased to 32768. 

You can download and install from:

For more details on the FTP User Editor please see the original post at

FTP User Editor for Microsoft Active Directory (Updated)

The FTP User Editor for Microsoft Active Directory has been updated a fix a couple of problems.


  • The connect dialog did not hide the password as you typed it!
  • The Recent Users were lost after you shutdown due to a difference in implementation between the old and new controls.

New Features

  • You can now browse to find the path for the FTP Root directory.

You can download and install from:

For more details on the FTP User Editor please see the original post at

FTP User Account Editor for Active Directory

FTP User Editor for Microsoft Active Directory.....

What is this?

When you run the FTP server with Microsoft IIS 6.0 on the Windows 2003 Server Family of products you can have the FTP server isolate users to their own folders. This means that the user can not browse into another users folder.

There are three isolation modes:

  1. Do not isolate users
  2. Isolate Users
  3. Isolate Users with Active Directory

This application is designed for option 3 and allows you to edit two attributes for a users account:

  • msIIS-FTPRoot
  • msIIS-FTPDir

For more details on these attributes see the following page.

There is no Windows UI to perform this step but there is a way to edit these attributes using the IISFTP.vbs script that is installed when you install IIS with the FTP Service in IIS 6.

The IISFTP.vbs script works fine but sometimes it is nicer and simpler to have a UI to help perform these steps. You also can see potential problems easier with a Windows UI.

The Application

This application has been written to in c# and requires the .NET Framework 2.0 (the new framework) to function. Windows 2003 Server Family by default installs the .NET Framework 1.1.

The .NET Framework 2.0 redistributable can be downloaded from this page and is approx 22MB

You can then download and install this application from the URL below.

After you install the program a new item will be added to your Start - Programs folder called IIS Tools.

When you run the application it will prompt you for a Windows Active Directory domain to log onto. You can log on with the currently logged on user account or you can specify another account to log on with.

Once you log on you are then shown a tree of Folders and Organizational Units (OUs). Click on a node will display all user accounts in that folder or OU.

You can select one or more users and right click and select Edit which will bring up the User Editor dialog.

This dialog allows you to set or clear the attributes that are required for users to log on to the FTP server.

If you have any comments on this application ( or bug reports ) please let me know at


Chris Crowe [ IIS MVP 1997 -> 2006 ]

Additional references

Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0)