If you have installed the FTP server for IIS 6 you will notice that it is not configured to isolate users either locally or by using Active Directory and that there is no UI to enable this!
There are two ways to change user isolation:
- Create a new FTP site and configure it then.
- Adjust the IIS Metabase properties using a script
Option #1 above is quite simply and does not really need any explaining. Just create a new FTP site and follow the promtps.
Option #2 is where this article is going to concentrate on.
We can either write a simple ADSI/WMI script or we can use the adsutil.VBS script - we are going to concentrate on the adsutil.VBS script.
First things is how does IIS determine the user isolation mode?
IIS uses a metabase property called UserIsolationMode to control user isolation in association with ADConnectionsUserName, ADConnectionsPassword and DefaultLogonDomain properties.
UserIsolationMode
The UserIsolationMode can only be one of the following values.
- 0 = Not Isolated
- 1 = Isolated (Locally)
- 2 = Isolated using Active Directory
When UserIsolationMode = 0
There is no user isolation in this mode, this is the default setting.
When UserIsolationMode = 1
When a client authenticates using local or domain accounts and is then sent to a folder under the root that matches the user name. This setting is called "Isolated (Locally)," and it supports users who do not want to use Active Directory.
When UserIsolationMode = 2
User isolation is dependent on Active Directory. This setting is called "Isolated (Active Directory)," and it is primarily used by Internet service providers (ISPs) and other customers who want to set up large numbers of FTP accounts.
When using this mode the following properties must also be configured.
- ADConnectionsUserName
- ADConnectionsPassword
- DefaultLogonDomain.
The ADConnectionsUserName specifies the user account ( without Domain ) that will be used to communicate with Active Directory to read the ms-IIS-FTP-Dir and ms-IIS-FTP-Root Active Directory attributes. The ADConnectionsPassword simply specifies the Password for the Username and the DefaultLogonDomain is the domain for the user account.
Note: The UserIsolationMode key is by default not set in the IIS metabase for the default FTP site and defaults to a value of 0 (Not Isolated)
Using ADSUTIL.VBS to change to Active Directory User Isolation Mode
Adsutil.vbs is installed into c:\inetpub\adminscripts by default.
We will make the following assumptions for setting up User Isolation
- We have backed up the IIS Metabase using the UI - if you have not DO IT NOW!
( Open IIS Manager, Right click Server Name, All Properties, Backup/Restore configuration)
- We are going to change the default FTP site user isolation mode.
- We are going to Isolate users using Active Directory.
- We are going to use an account of TestDomain\TestUserName to gain access to Active Directory with a password of $Password_
To determine the current user isolation mode we will run the following command from a CMD.EXE prompt.
cscript adsutil.vbs get MSFTPSVC/1/UserIsolationMode
Note: In the above code we see that the value is not set! this is the default for the Default FTP Site
To set the UserIsolationMode to 2 which is Active Directory Isolation we issue the following command.
cscript adsutil.vbs set MSFTPSVC/1/UserIsolationMode 2
Note: The result is that we have now configured the default FTP site to use Active Directory Isolation (2)
But: We have not configured any credentials to be used to allow the server to talk to Active Directory yet!
We now need to configure the user account that will be used to communicate with Active Directory
The following commands will do this
cscript adsutil.vbs set MSFTPSVC/1/ADConnectionsUserName TestUserName
cscript adsutil.vbs set MSFTPSVC/1/ADConnectionsPassword $Password_
cscript adsutil.vbs set MSFTPSVC/1/DefaultLogonDomain TestDomain
If you now right clicked on the default FTP site in the IIS Manager and selected properties you would see that it is different.
 |
|
 |
| Active Directory Isolation |
|
Default - No User Isolation |
To restore the UserIsolationMode to the default, which is 0 we simply issue the following command.
cscript adsutil.vbs set MSFTPSVC/1/UserIsolationMode 0
A free FTP User Account Editor for Active Directory
The following application is free and comes with full source code written in c#. You can use this application to easily configure the ms-IIS-FTP-Root and ms-IIS-FTP-Dir Active Directory attributes for 1 or more users using a very simple UI.
To read more or to download the application see this blog post - http://blog.crowe.co.nz/archive/2006/03/09/594.aspx
Some additional references::