Title: Message
Mario,
 
Here is a different way:
There is a knowledge base article published by Microsoft that covers the following:
 
Although members of the Domain Admins group can successfully FTP to a Windows 2000-based Internet Information Services (IIS) server, members of the Domain Users group may be unable to do so.
 
In this case it is FTP-ing to W2K IIS server, but it would apply to a WS_FTP Server that is part of that Domain as well.
 
The article further says,  This behavior can occur because the Users group does not by default have the Log on Locally user right, which is required to connect to resources hosted on an IIS server, or in this case the WS_FTP Server.
 
The steps outlined in this article solves the problem of users having to be part of the Admin group to connect. 
 
Also, by following the instructions in this KB, you do not have to make the WS_FTP Server machine a member of the Administrator's Group in the Active Directory Users and Computers settings.
 
According to Microsoft, this behavior is by design.
 
Here is the article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;285806#appliesto
 
 
BTW, you mentioned
"my W2K specialist tells me that I am giving full rights to the WS_FTP Server process. For example it could easily delete a part of the Active Directory as it has the rights!"
 
-how would the WS_FTP Server process delete a part of the Active Directory?  And actually the instruction is to edit the FTP Server computer's (not Process) membership, to add Administrator.

Mark Singh
Ipswitch, Inc.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of OOSTERS Mario
Sent: Thursday, January 08, 2004 11:30 AM
To: [EMAIL PROTECTED]
Subject: [WS_FTP Forum] Security Active Directory problem

Howdie,
 
I have been running a case with the WS_FTP-Server support team about having problems authenticating with a remote Active Directory( 530 Invalid userid/password while I could see the users in the WS_FTP Server Manager). The problem was apparently that the my W2K server running WS_FTP server did not have sufficient rights. Ipswitch proposed me to adapt in my Active Directory the following.
Click: Start > Programs > Administrative Tools > Active Directory  Users and  Computers.
 1. Click on the Computers folder in the tree to the left.
    You will see a list of machines within the domain. Right click on the name
     of the member server that WS_FTP Server is installed on and choose  properties.
 2. Click on the Member Of tab.
 3. Click the Add button.
 4. Select Administrators, click Add.
 5. Click OK in the windows to close them.
This makes the problem go away, the problem is know that my W2K specialist tells me that I am giving full rights to the WS_FTP Server process. For example it could easily delete a part of the Active Directory as it has the rights! Of course, we would like to avoid this and I am wondering if nobody else found out a way to minimize the rights and still make this work. I am asking this to the list as the R&D of Ipswitch apparently doesn't has been testing Active Directory together with security settings.
 
 
Mario Oosters
Senior Network Engineer @ Groupe S
Rue des Ursulines 2A, 1000 Brussel
Belgium
 
Tel : ++ 32 2 507 15 77
Fax : ++32 2 507 15 75
 

Reply via email to