win2k3 iis6 - need to give ftp permissions to website folder

[Katt]

I need to give someone permission to edit one website only on my win2k3 server - he cannot have access to anything else. Here's what I've done:

- websitexyz.com already created and running in the \server\inetpub\ftproot\websitexyz folder
- created new user websitexyz and removed from all groups (to prevent inheriting permissions)
- created new group xyz
- added user websitexyz to group xyz
- made sure user websitexyz and group xyz had no ntfs permissions to anything other than the folder \server\inetpub\ftproot\websitexyz

Some of these steps were obviously done after realizing I had a problem - I log in using an ftp client as user websitexyz and I have access to ALL websites in the inetpub\ftproot\ folder. What am I doing wrong?

Thanks for any help!

[Katt]

I should clarify - the ftp client logs me into the correct folder \server\inetpub\ftproot\websitexyz but I can easily navigate up to the other website folders.

[Melissa M.]

Have you also looked at the folder itself and made sure the permissions for ftp users are what you want? for info on changing folders permissions, look up the unix command "chmod" -- for info on listing a folders permissions, see "ls"

[Katt]

I kept hoping someone who knew windows would reply. Thanks for trying Melissa, but the topic clearly states win2k3 server. I've now installed FileZilla server and will see if I can make that work for me instead.

[wige]

Eww, Win2K3... Honestly, its been a while, but I ran into the exact same issue a few years ago. There are basically a set of permissions that you need to set for a user. The first is the FTP permissions, which you have already set. This simply allows the user to authenticate with the FTP server software. Then, NTFS permissions grant read/write access via the local filesystem. However, there is another set of permissions that are set through the sharing tab if I recall correctly, which basically determines if that user can read/write while connected remotely. All of these settings have to be set up individually.

Also, I should ask, when you browse to higher-level directories, are you able to write, or do you only have read access? I believe that all accounts, even if they don't belong to any groups, are implicitly members of the group Everybody, which has read access to the entire Inetpub directory. If that is the problem, you may need to Deny the new user (a user permission overrides a group permission) from Inetpub, then allow the user in the specific subdirectory.