November 2010 (1)
August 2010 (1)
July 2010 (1)
June 2010 (3)
July 2009 (3)
June 2009 (1)
May 2009 (1)
February 2009 (1)
January 2009 (1)
November 2008 (3)
October 2008 (4)
September 2008 (9)
August 2008 (6)
July 2008 (3)
June 2008 (3)
January 2008 (1)
November 2007 (2)
October 2007 (6)
September 2007 (5)
August 2007 (22)
July 2007 (6)
June 2007 (1)
May 2007 (3)
April 2007 (27)
March 2007 (8)
February 2007 (6)
September 2006 (2)
August 2006 (4)
July 2006 (9)
June 2006 (17)
May 2006 (20)
April 2006 (12)
March 2006 (9)
February 2006 (4)
January 2006 (3)
December 2005 (2)
November 2005 (4)
October 2005 (5)
September 2005 (37)
August 2005 (83)
July 2005 (6)

Active Directory / LDAP (0)
ASP.Net (19)
Blackberry Development (4)
c# (34)
c++ (3)
Code Camp (1)
Excel (1)
Exchange (3)
Front Page 2003 (6)
FTP User Editor (4)
IIS (146)
IIS - Log Parser (7)
IIS / FTP (12)
IIS / Tools / Administration (42)
IIS / Tools / Authentication (6)
IIS / Tools / Compression (8)
IIS / Tools / Crash & Hang (12)
IIS / Tools / ISAPI Filters (17)
IIS / Tools / Log Files (17)
IIS / Tools / Scripts (28)
IIS / Tools / Security (9)
IIS / Tools / SSL (6)
IIS 7 (3)
Internet Information Server (1)
Me (Chris Crowe) (6)
MIME Types (1)
Misc (72)
Oulook Express (2)
Silverlight (1)
SQL Server (27)
SQL Server CTE (1)
Vista (15)
Vista Gadgets (8)
Visual Studio (11)
Voice over BroadBand (1)
Windows (33)
Windows Powershell (3)
Windows Sharepoint Services (0)
Windows Sharepoint Services (15)
Windows Vista (14)
Wine Cellar (1)
WMI (8)
IIS / FTP (12)


Microsoft has created a new FTP service

Microsoft has created a new FTP service that has been completely rewritten for Windows Server Code Name "Longhorn". This new FTP service incorporates many new features that enable web authors to publish content better than before, and offers web administrators more security and deployment options. For additional information, please see our documentation.

This new FTP service is only for Windows Server Code Name "Longhorn" and Internet Information Services 7.0; it will not work on Windows Server 2003 and Internet Information Services 6.0.




This new FTP service supports a wide range of features and improvements, and the following list contains several of the improvements in this version:

Integration with IIS 7.0:
IIS 7.0 has a brand-new administration interface and configuration store, and the new FTP service is tightly integrated with this new design. The old IIS 6 metabase is gone, and a new configuration store that is based on the .NET XML-based *.config format has taken its place. In addition, IIS 7.0 has a new administration tool, and the new FTP server plugs seamlessly into that paradigm.

Support for new Internet standards:
One of the most significant features in the new FTP server is support for FTP over SSL. The new FTP server also supports other Internet improvements such as UTF8 and IPv6.

Shared hosting improvements:
By fully integrating into IIS 7.0, the new FTP server makes it possible to host FTP and Web content from the same site by simply adding an FTP binding to an existing Web site. In addition, the FTP server now has virtual host name support, making it possible to host multiple FTP sites on the same IP address. The new FTP server also has improved user isolation, now making it possible to isolate users through per-user virtual directories.

Extensibility and custom authentication:
The new FTP server supports developer extensibility, making it possible for software vendors to write custom providers for FTP authentication. Microsoft is using this extensibility feature to implement two new methods for using non-Windows accounts for FTP authentication for IIS Managers and .NET Membership.

Improved logging support:
FTP logging has been enhanced to include all FTP-related traffic, unique tracking for FTP sessions, FTP sub-statuses, additional detail fields in FTP logs, and much more.

New supportability features:
IIS 7.0 has a new option to display detailed error messages for local users, and the FTP server supports this by providing detailed error responses when logging on locally to an FTP server. The FTP server also logs detailed information using Event Tracing for Windows (ETW), which provides additional detailed information for troubleshooting.



This add-on is a substantial step forward for helping you to enable powerful publishing capabilities for your Web environment.



The following prerequisites must be fulfilled in order to install the new FTP server:

• You must be using Windows Server Code Name "Longhorn" Beta 3 or later.
• Internet Information Services 7.0 must be installed, and the administration tool should be installed if you are going to manage the FTP server using the IIS 7.0 user interface.
• You must install the FTP server as an administrator. (See the Downloading and Installing section for more.)
• IIS 7.0 supports a new shared configuration environment, which must be disabled on each server in a web farm before installing the new FTP server for each node. Note: Shared configuration can be re-enabled after the FTP server had been installed.
• The FTP server that is shipped on the Windows Server Code Name "Longhorn" DVD must be uninstalled before installing the new FTP server.

See for more details and to download.

Changing the default FTP site to Isolate Users using Active Directory

If you have installed the FTP server for IIS 6 you will notice that it is not configured to isolate users either locally or by using Active Directory and that there is no UI to enable this!

There are two ways to change user isolation:

  1. Create a new FTP site and configure it then.
  2. Adjust the IIS Metabase properties using a script

Option #1 above is quite simply and does not really need any explaining. Just create a new FTP site and follow the promtps.

Option #2 is where this article is going to concentrate on.

We can either write a simple ADSI/WMI script or we can use the adsutil.VBS script - we are going to concentrate on the adsutil.VBS script.

First things is how does IIS determine the user isolation mode?

IIS uses a metabase property called UserIsolationMode to control user isolation in association with ADConnectionsUserName, ADConnectionsPassword and DefaultLogonDomain properties.


The UserIsolationMode can only be one of the following values.

  • 0 = Not Isolated
  • 1 = Isolated (Locally)
  • 2 = Isolated using Active Directory

When UserIsolationMode = 0

There is no user isolation in this mode, this is the default setting.

When UserIsolationMode = 1

When a client authenticates using local or domain accounts and is then sent to a folder under the root that matches the user name. This setting is called "Isolated (Locally)," and it supports users who do not want to use Active Directory.

When UserIsolationMode = 2

User isolation is dependent on Active Directory. This setting is called "Isolated (Active Directory)," and it is primarily used by Internet service providers (ISPs) and other customers who want to set up large numbers of FTP accounts.

When using this mode the following properties must also be configured.

  • ADConnectionsUserName
  • ADConnectionsPassword
  • DefaultLogonDomain.

The ADConnectionsUserName specifies the user account ( without Domain ) that will be used to communicate with Active Directory to read the ms-IIS-FTP-Dir and ms-IIS-FTP-Root Active Directory attributes. The ADConnectionsPassword simply specifies the Password for the Username and the DefaultLogonDomain is the domain for the user account. 

Note: The UserIsolationMode key is by default not set in the IIS metabase for the default FTP site and defaults to a value of 0 (Not Isolated)


Using ADSUTIL.VBS to change to Active Directory User Isolation Mode

Adsutil.vbs is installed into c:\inetpub\adminscripts by default.

We will make the following assumptions for setting up User Isolation

  • We have backed up the IIS Metabase using the UI - if you have not DO IT NOW! 
    ( Open IIS Manager, Right click Server Name, All Properties, Backup/Restore configuration)
  • We are going to change the default FTP site user isolation mode.
  • We are going to Isolate users using Active Directory.
  • We are going to use an account of TestDomain\TestUserName to gain access to Active Directory with a password of $Password_

To determine the current user isolation mode we will run the following command from a CMD.EXE prompt.

cscript adsutil.vbs get MSFTPSVC/1/UserIsolationMode

Note: In the above code we see that the value is not set! this is the default for the Default FTP Site

To set the UserIsolationMode to 2 which is Active Directory Isolation we issue the following command.

cscript adsutil.vbs set MSFTPSVC/1/UserIsolationMode 2

Note: The result is that we have now configured the default FTP site to use Active Directory Isolation (2)

But: We have not configured any credentials to be used to allow the server to talk to Active Directory yet!

We now need to configure the user account that will be used to communicate with Active Directory

The following commands will do this

cscript adsutil.vbs set MSFTPSVC/1/ADConnectionsUserName TestUserName
cscript adsutil.vbs set MSFTPSVC/1/ADConnectionsPassword $Password_
cscript adsutil.vbs set MSFTPSVC/1/DefaultLogonDomain TestDomain

If you now right clicked on the default FTP site in the IIS Manager and selected properties you would see that it is different.

Active Directory Isolation   Default - No User Isolation


To restore the UserIsolationMode to the default, which is 0 we simply issue the following command.

cscript adsutil.vbs set MSFTPSVC/1/UserIsolationMode 0


A free FTP User Account Editor for Active Directory

The following application is free and comes with full source code written in c#. You can use this application to easily configure the ms-IIS-FTP-Root and ms-IIS-FTP-Dir Active Directory attributes for 1 or more users using a very simple UI.

To read more or to download the application see this blog post -

Some additional references::

IIS Insider - June 2006 - Written by me....

I have had my first set of questions & answers on the Microsoft FTP Server published in June IIS Insider section on

IIS Insider is a monthly column designed to answer your questions on how to troubleshoot and make the most of Microsoft Internet Information Services (IIS).

IIS Insider

The questions I presented are:

  • Adding Virtual Directories to an FTP Server
  • Administering Physical Directories on an FTP Site
  • User Isolation Mode options

The article is up for the month of June (it only went up today June 22) at

After June you can see the details on the IIS Insider column archives

FTP - Steve Schofield has written a couple of useful articles on Blind Drop & Blind Get FTP Server using IIS

Steve Schofield has written two artricles on how to setup an anonymous “blind drop” and “Blind Get“ FTP server using Microsoft Windows 2003

See these articles

You maybe wondering, what is a “blind drop” server?  A “blind drop” FTP server provides individuals or companies a method to anonymously transfer files using FTP files without having permission to list files or retrieve files on the FTP site.  In other words, you can “drop” files onto the server but not see what’s there or retrieve files if you did know what was there. There are benefits for both the end-user and FTP administrator.  The end-user doesn’t have to remember a user id and password.  The FTP administrator uses NTFS permissions so anonymous users can’t browse or retrieve files.  The biggest benefit for the FTP administrator is that they don’t have to maintain user ids and passwords for everyone needing FTP access. 

You maybe wondering, what is a “blind get” server?  A “blind get” FTP server provides a method to anonymously transfer files using FTP without having permission to list files or add files on the FTP site.  In other words, you can “get” files but not see what’s there or retrieve files unless the absolute path is known.  There are benefits for both the end-user and FTP administrator.  The end-user doesn’t have to remember a user id and password.  The FTP administrator uses NTFS permissions so anonymous users can’t browse or add files. 

FTP User Editor for Active Directory (Updated)

The FTP User Editor for Microsoft Active Directory has been updated a fix a couple of problems.


  • There was a limit of 1000 objects being returned from the Active Directory - increased to 32768. 

You can download and install from:

For more details on the FTP User Editor please see the original post at

FTP User Editor for Microsoft Active Directory (Updated)

The FTP User Editor for Microsoft Active Directory has been updated a fix a couple of problems.


  • The connect dialog did not hide the password as you typed it!
  • The Recent Users were lost after you shutdown due to a difference in implementation between the old and new controls.

New Features

  • You can now browse to find the path for the FTP Root directory.

You can download and install from:

For more details on the FTP User Editor please see the original post at

C# application to show the WWW and FTP Sites and their log file directories....

I often look at the log files on my web server and with IIS 6 the folders are created with random numbers.

Correction from Tom regarding the “random numbers“:

In fact the log file names are generated from the site name so that in cases where a site is run on multiple servers the site id will be the same on each server. This helps with scripting and stuff. You can configure it in the registry to use the IIS5 type naming format if you want.

More details can be found below:

This simple application will display the WWW and FTP sites along with the log file directory. Just compile
it up or download the executable and drop the executable into your c:\windows\system32\logfiles folder and
just dblclick on it when you need to view the sites to folders relationships.

using System;
using System.DirectoryServices;
using System.IO;
using System.Collections;
using System.Windows.Forms;
namespace IISHelpDir
    /// Summary description for Class1.
    class Class1
        /// The main entry point for the application.
        static void Main(string[] args)
            SortedList www = new SortedList();
            SortedList ftp = new SortedList();
                const string FtpServerSchema = "IIsFtpServer"; // Case Sensitive
                const string WebServerSchema = "IIsWebServer"; // Case Sensitive
                string ServerName = "LocalHost";
                DirectoryEntry W3SVC = new DirectoryEntry("IIS://" + ServerName + "/w3svc");
                foreach (DirectoryEntry Site in W3SVC.Children) 
                    if (Site.SchemaClassName == WebServerSchema) 
                        string LogFilePath = System.IO.Path.Combine(
                        www.Add(Site.Properties["ServerComment"].Value.ToString(), LogFilePath);
                DirectoryEntry MSFTPSVC = new DirectoryEntry("IIS://" + ServerName + "/msftpsvc");
                foreach (DirectoryEntry Site in MSFTPSVC.Children) 
                    if (Site.SchemaClassName == FtpServerSchema) 
                        string LogFilePath = System.IO.Path.Combine(
                        ftp.Add(Site.Properties["ServerComment"].Value.ToString(), LogFilePath);
                int MaxWidth = 0;
                foreach(string Site in www.Keys)
                    if (Site.Length > MaxWidth)
                        MaxWidth = Site.Length;
                foreach(string Site in ftp.Keys)
                    if (Site.Length > MaxWidth)
                        MaxWidth = Site.Length;
                Console.WriteLine("Site Description".PadRight(MaxWidth)+"  Log File Directory");
                Console.WriteLine("WWW Sites");
                foreach(string Site in www.Keys)
                    Console.WriteLine(Site.PadRight(MaxWidth) + "  " + www[Site]);
                if (ftp.Keys.Count > 0)
                    Console.WriteLine("FTP Sites");
                    foreach(string Site in ftp.Keys)
                        Console.WriteLine(Site.PadRight(MaxWidth) + "  " + ftp[Site]);
                // Catch any errors
            catch (Exception e) 
                Console.WriteLine("Error: " + e.ToString());
                Console.WriteLine("Press enter to close/exit....");

To download a ZIP file containing the c# source and executable (.Net 1.1) please click here.

FTP User Account Editor for Active Directory

FTP User Editor for Microsoft Active Directory.....

What is this?

When you run the FTP server with Microsoft IIS 6.0 on the Windows 2003 Server Family of products you can have the FTP server isolate users to their own folders. This means that the user can not browse into another users folder.

There are three isolation modes:

  1. Do not isolate users
  2. Isolate Users
  3. Isolate Users with Active Directory

This application is designed for option 3 and allows you to edit two attributes for a users account:

  • msIIS-FTPRoot
  • msIIS-FTPDir

For more details on these attributes see the following page.

There is no Windows UI to perform this step but there is a way to edit these attributes using the IISFTP.vbs script that is installed when you install IIS with the FTP Service in IIS 6.

The IISFTP.vbs script works fine but sometimes it is nicer and simpler to have a UI to help perform these steps. You also can see potential problems easier with a Windows UI.

The Application

This application has been written to in c# and requires the .NET Framework 2.0 (the new framework) to function. Windows 2003 Server Family by default installs the .NET Framework 1.1.

The .NET Framework 2.0 redistributable can be downloaded from this page and is approx 22MB

You can then download and install this application from the URL below.

After you install the program a new item will be added to your Start - Programs folder called IIS Tools.

When you run the application it will prompt you for a Windows Active Directory domain to log onto. You can log on with the currently logged on user account or you can specify another account to log on with.

Once you log on you are then shown a tree of Folders and Organizational Units (OUs). Click on a node will display all user accounts in that folder or OU.

You can select one or more users and right click and select Edit which will bring up the User Editor dialog.

This dialog allows you to set or clear the attributes that are required for users to log on to the FTP server.

If you have any comments on this application ( or bug reports ) please let me know at


Chris Crowe [ IIS MVP 1997 -> 2006 ]

Additional references

Hosting Multiple FTP Sites with FTP User Isolation (IIS 6.0)

FTP Error Status Codes
Code Description
100 Codes The requested action is being taken. Expect a reply before proceeding with a new command.
110 Restart marker reply.
120 Service ready in (n) minutes.
125 Data connection already open, transfer starting.
150 File status okay, about to open data connection.
200 Codes The requested action has been successfully completed.
200 Command okay.
202 Command not implemented
211 System status, or system help reply.
212 Directory status.
213 File status.
214 Help message.
215 NAME system type. (NAME is an official system name from the list in the Assigned Numbers document.)
220 Service ready for new user.
221 Service closing control connection. (Logged out if appropriate.)
225 Data connection open, no transfer in progress.
226 Closing data connection. Requested file action successful (file transfer, abort, etc.).
227 Entering Passive Mode
230 User logged in, proceed.
250 Requested file action okay, completed.
257 "PATHNAME" created.
300 Codes The command has been accepted, but the requested action is being held pending receipt of further information.
331 User name okay, need password.
332 Need account for login.
350 Requested file action pending further information.
400 Codes The command was not accepted and the requested action did not take place.
Tthe error condition is temporary, however, and the action may be requested again.
421 Service not available, closing control connection. (May be a reply to any command if the service knows it must shut down.)`
425 Can't open data connection.
426 Connection closed, transfer aborted.
450 Requested file action not taken. File unavailable (e.g., file busy).
451 Requested action aborted, local error in processing.
452 Requested action not taken. Insufficient storage space in system.
500 Codes The command was not accepted and the requested action did not take place.
500 Syntax error, command unrecognized. This may include errors such as command line too long.
501 Syntax error in parameters or arguments.
502 Command not implemented.
503 Bad sequence of commands.
504 Command not implemented for that parameter.
530 User not logged in.
532 Need account for storing files.
550 Requested action not taken. File unavailable (e.g., file not found, no access).
552 Requested file action aborted, storage allocation exceeded
553 Requested action not taken. Illegal file name.

IIS FTP - Shared Folders with FTP Isolated Users
I came across this question on the "microsoft.public.inetserver.ftp" newsgroup today
I am setting up a FTP site in User Isolation Mode.
I have FTPRoot as C:\Inetpub\ftproot.
Under this I have the following phsical directory structure:
    |- User1
    |- Public

Both User1 and anonymous can log in fine and are limited to their
directories (so far so good)

I have a directory c:\ftp\shared that I want User1 and anon to see under
their home directories, but I can't seem to setup the virtual directory
structure correctly.

I have tried the following in IIS:
    |-LocalUser (VDIR to c:\Inetpub\ftproot\LocalUser)
        |-User1 (VDIR to c:\Inetpub\ftproot\LocalUser\User1)
            |-shared (VDIR to C:\ftp\shared)

    |- User1 (VDIR to c:\Inetpub\ftproot\LocalUser)
        |- shared (VDIR to c:\ftp\shared)

neither has worked.  I have also tried to setup the LocalUser as a virtual
directory pointing to some other location (moving the physical directories
too), but then no user was able to login.

What is the proper way to do this?

The following is one method to get this to work - I do not know of a better method but this does work

Lets start with a new FTP Site with nothing in it.

I start by creating a folder at the following location (you can use any path you want)


Now you create your FTP site and configure it to use FTP Isolated Users

So continue with the FTP Site Creation Wizard.

Now in the home directory folder you must create the following directory "LocalUser" so our path will be:


Note: In my sample I am doing this on Small Business Server 2003 which is a Domain Controller - this means that instead of using LocalUser I must use the name of my domain which is called IISFAQ

Now you must create your directories for each user who will access the FTP site.

In this example I have created a user called XYZ

so I now create a folder called XYZ inside of the LocalUser or DOMAINNAME folder.


Create a file in the XYZ folder called XYZ.TXT just so we know we are in the correct place.

If you test this now with an FTP client you should be able to log on as user XYZ and see the file XYZ.TXT

We now need to create a folder for the shared documents or files.

We go back to out FTP home directory and create a folder called Shared


If this is all we do our Shared folder is not accessible so it does not have any use to us.

Create a file in the Shared file called Shared.TXT

We now need to add a virtual directory to the FTP Site.

  • Right click the FTP Site in IIS Manager and select New-Virtual Directory
  • Enter Shared as the Alias and click Next
  • Enter C:\Inetpub\FTPSites\LocalIsolatedShared\Shared as the path and click next
  • Click Next and then click Finish.

Now although the user will not be able to see this Shared folder they can actually change directory to it. So it is sort of like a hidden directory as can be shown below.

So  we now have a problem because the Shared virtual directory is there but the user can not see it!

So how do we get the user to see this virtual directory?

The only way that I know of is to create a physical folder called "Shared" in the users area.

So we end up with this path:


Now when the user issues a DIR command they will see a folder called Shared and if they change into the Shared folder they will see the contents not of the physical folder but of the virtual directory folder as can be shown below.

Note: This means that we have to create a folder called Shared for every FTP user on your site which is not ideal and sort of defeats the purpose of virtual directories but I do not know of another way to perform this action.

IIS - Using Command-Line Administration Scripts (IIS 6.0)

You can extend administrative control by using scripts to perform server administration tasks. You can use scripts to automate tasks, remotely administer sites and resources, and take advantage of batch files to create and manage objects. For additional information on using command lines, see the "Command-Line Reference" in Help and Support Center for Windows Server 2003.

Internet Information Services 6 (IIS 6) contains eight supported command-line scripts that use the IIS Windows Management Instrumentation (WMI) provider to configure and manage IIS metabase configurations. Microsoft supports the command-line scripts that are included in IIS, as long as the scripts are not modified. If you need to modify a supported script, you must save it under a new file name, leaving the original script unmodified.

For more details see

Custom Property Page for Active Directory User and Computers to manage IIS FTP Home Directories and FTP Root Directories

I have been working on a C++ project to create a new property page that will show up in Active Directory Users & Computers when you view the properties of a user account. This new property page will allow you to edit the FTP Root (msIIS-FTPRoot) and FTP Directory (msIIS-FTPDir) for users so that if you have configured the IIS FTP Service to run using Active Directory Isolation Mode you can simply use the GUI to view or modify these attributes.

For more details on these Active Directory attributes see the following:

This is the custom property page as of today (August 9, 2005). I plan to release the source code to this add in and also a compiled binary. I would really like to have a setup.exe application that can install it and configure active directory to use the new property page. Currently this is done manually by editing the Active Directory using a tool (adsvw.exe) that is included with the Active Directory SDK.

Please let me know if you think this is a worth while project and if you think it could use any extra features. I am not sure when I will release the code because I really want to make sure there are no bugs. It is currently working fine, but I need to test it on a Windows 2000 Active Directory Server that does not have the Schema Additions added to it.

So things to do:

  • Make sure there are no bugs in the code & comment the code.
  • Test on Windows 2000, Windows 2000 SBS, Windows 2003, Windows 2003 SBS (done)
  • Write a setup application to install DLL onto server.
  • Write a setup that can configure Active Directory to use the new property sheet.
  • Do all of this ASAP and release to the public.

Please leave comments.