We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

Allow msIIS-FTPRoot attribute to enumerate to connected FTPRootRSS

1 reply

Last post Jan 08, 2009 03:46 AM by JaroDunajsky

  • Allow msIIS-FTPRoot attribute to enumerate to connected FTPRoot

    Jan 05, 2009 08:49 AM|lee.wilmott|LINK

    I am using Windows Server 2008 and IIS7.

    I am able to configure FTP User Isolation without any problems - but I am unable to get the flexibility that I require.

    I have a folder structure as defined below...


    What I would like to achieve is the following...

    1) I want to create a user account for every customer we have...ie. Customer1, Customer2 and Customer3.
    2) Each customer should only be allowed access to their own folder.
    3) The root folder for each customer should be their own customer folder.
    4) I have an 'admin' ftp account, that is used by us internally, that should allow access to all customer folders.
    5) The root folder for the 'admin' account should be the "\live" folder (to allow access to all the customer folders).

    To achieve this I have used "User Isolation using Active Directory".  This works perfectly without a problem!


    I have another FTP Site on the same server with folder structure as defined below...


    This is used by our Development Teams for testing and UAT (User Acceptance Testing).  So, our Dev environment needs to be the same as our Live environment.

    The problem is that it appears that the Active Directory attributes for "AD User Isolation" requires a full path.

    So, I need to find a solution that fulfils the above requirements.  Ideally, I could solve my problem if I could modify the Active Directory attributes so that the "msIIS-FTPRoot" attribute enumerates to the FTP Site you connected to.  (eg. msIIS-FTPRoot = %FTPRoot%).

    "PLEASE" can such a feature be added to IIS7? 

    Thanks in advance,



  • Re: Allow msIIS-FTPRoot attribute to enumerate to connected FTPRoot

    Jan 08, 2009 03:46 AM|JaroDunajsky|LINK

    Unless I missed a detail in your requirements you could achieve what you are looking for with existing feature set of FTP 7.0 (not the built-in FTP that comes with Win2008 but the one from www.iis.net\extensions).

    FTP 7.0 allows for user home directories to be virtual directories (previously user home directories had to be physical directories under the root of the site and virtual directories, if configured were global to everyone and not visible in the user isolation mode)

    Here are the approximate steps: 

    1) Choose the FTP user isolation in the IIS Manager called: 
    User name directory (disable global virtual directories)

    2) Remember that this mode (just like the legacy FTP server) assumes the full username for local user called foo as localuser\foo so the home directory for foo would be c:\inetpub\ftproot\localuser\foo (assuming c:\inetpub\ftproot being the site root.

    3) Add virtual directory for localuser\administrator to point to c:\inetpub\ftproot and your scenario should just work.




    Jaroslav Dunajsky (MSFT, IIS)