notquiteanewbie Posted April 29, 2008 Share Posted April 29, 2008 First let me say my FTP Site with Active Directory User Isolation has functioned in the past until recently. Even now the behavior is very strange. * I can still login with no issues * A service account that was able to login previously with no issues, is no longer able to login , home directory inaccessible. * New User accounts I create cannot access their home directories.Here is my work flow for creating new users in ADUC and allowing them access to FTP.1. Create new domain user account2. Open domain User Account Properties, Select Member Of tab, add them to the FTP User Group3. Open ADSI Edit, add entries for the users FTP root directory and folder.4. Navigate to the ftp server, create the user home folder5. Verify read, write, modify access on FTPThis is the folder structure that allows the user access[ftp server]Inetpub - FTPROOT (FTP Users have full control over this directory) - [user Directory]All FTP user home directories are in this folderSo for ADSI Edit entries I would havemsIIS-FTPDir \[foldername] (I create this folder when needed)msIIS-FTPRoot \\[servername]\ftproot\ (does not change for any user)Notable items * The local Administrator password was changed within the last 2 weeks *The service account (used to move backups to the ftp) could no longer move the backups as of about 2 weeks ago* I have tried deleting and recreating the FTP Site* I have tried uninstalling and reinstalling IIS via add/remove windows components, I would think uninstalling and/or creating a new FTP site would negate any effect of changing the local administrator password.Another strange point, when trying to get the UserIsolation Mode via ADSutil.vbs i get an errorHere's the command:C:\Inetpub\AdminScripts\cscript adsutil.vbs get MSFTPSVC/63361983/UserIsolationModeHere's the result:Microsoft ® Windows Script Host Version 5.6Copyright © Microsoft Corporation 1996-2001. All Rights reservedErrNumber: -2146646000 (0x800CC810)Error Trying to GET the Object (GetObject Failed): MSFTPSVC/6336198363361983 is the FTP Site in questionThis is Windows 2003 SP1Website I have already visited:http://www.microsoft.com/technet/community...er/default.mspxhttp://blog.crowe.co.nz/archive/2006/09.aspxAdditionally I have filemon currently running on the server. When I log into FTP I can see the success result of routing my personal account to the appropriate directory path.However when using this service account, nothing is displayed, not even a failure to open or access denied.Please help Link to comment Share on other sites More sharing options...
notquiteanewbie Posted May 2, 2008 Author Share Posted May 2, 2008 Just got off the phone with Microsoft. We ended up creating a new FTP SIte with Active DIrectory User Isolation. We created a new service account and granted it Domain Administrator permissions and it worked. Still doesn't explain why it worked in the past with the old service account without Domain Admin permissions...maybe a security patch? I am now waiting to here back regarding the minimum permissions required for the MSFTPSVC service account. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now