Configuring Users, Permissions, and Directories

In previous tutorials, we've covered fundamentals, software selection, and installation/initial setup. Now, we'll focus on configuring users, permissions, and directories - the core of controlling access in your file transfer server. This ensures only authorized users can upload, download, or view files, preventing unauthorized access and maintaining security.

Remember: Users are accounts for authentication, permissions define what they can do (e.g., read/write), and directories are the folders where files live (often with virtual mappings for security). We'll cover built-in Windows tools first, then Sysax Multi Server for multi-protocol support (FTP, FTPS, SFTP, SCP, HTTPS). Use Sysax FTP Automation for client testing.

Practice in a test VM. Assume Windows Server 2022/2025 with setups from the previous tutorial. Always change default passwords and test changes incrementally.


Configuring Built-in Windows Tools

Start with native options for simplicity. These integrate with Windows users and NTFS permissions.

1. IIS for FTP/FTPS

  • Users: IIS uses Windows or virtual users. In IIS Manager: Sites > Your FTP Site > FTP Authorization Rules > Add Allow Rule.
    • Select "Specified users" > Enter username (e.g., a local Windows user like "TestUser").
    • For domain users: Integrate with Active Directory by using domain\username.
  • Permissions: Set read/write via rules. In the same rule: Check Read/Write as needed.
    • For finer control: Use NTFS permissions on the physical folder (Right-click folder > Properties > Security > Edit > Add user > Set Allow/Deny for Read/Write/Execute).
  • Directories: Define virtual directories for aliasing. In IIS Manager: Right-click FTP Site > Add Virtual Directory.
    • Alias: e.g., "uploads"; Physical path: C:\FTPRoot\Uploads.
    • Apply NTFS permissions to the physical path.
  • Test: Create a local user in Computer Management > Local Users and Groups > New User.

2. SMB for File Sharing

  • Users: Windows local or AD users/groups. Share Properties > Permissions > Add > Select users/groups.
  • Permissions: Share-level (Read/Change/Full) + NTFS (finer-grained). NTFS: Properties > Security > Add user > Set Modify for write access.
  • Directories: Shared folders are "directories." Create subfolders and apply inheritance (Advanced Security Settings > Enable inheritance).

These are basic but limited - Sysax offers more granular control.


Configuring Sysax Multi Server

Sysax Multi Server excels in user management across protocols, with GUI and web-based administration. It supports stand-alone Sysax accounts, Windows NTLM, Active Directory/LDAP, public keys for SFTP, and MFA (Cisco Duo or Radius).

1. Accessing the Sysax Control Panel

  1. From the Start Menu, Select and open "Sysax Multi Server Administrator".
  2. Click onManage Server Settings.

2. Configuring Users

Sysax supports multiple authentication methods and user account types; we'll cover stand-alone and AD/Windows.

For Stand-Alone Sysax Users:

  1. In Sysax control panel: Go to Manage Server Settings > Authentication Methods Select "Sysax local user account" type.
  2. Click "Configure accounts" to open the Sysax Account Manager.
  3. Click "Add" to open the Add User screen.
  4. Enter: Login (username), Password, Home path (e.g., C:\FTPUsers\username - browse to select).
  5. Click OK to create.
  6. Optional: Import via CSV—Click "Import CSV...", select file with format: username,password,homepath,homeperm,accdisabled (e.g., testuser,pass123,C:\home,RWDL CX,0).
  7. homeperm: R=read, W=write, D=delete files; L=list, C=create, X=delete folders.

For Active Directory or Windows Accounts:

  1. In Sysax Control panel: Manage Server Settings > Authentication Methods > Select "Active Directory or Windows Accounts."
  2. Click next until "Home Path Permissions for Active Directory or Windows Accounts."
  3. Click "Add Account Name" > Enter username or domain\username.
  4. Optional: Check "Force home path for account" > Browse to set path (e.g., C:\ADUsers\username).
  5. Save changes.

For all users: Enable protocols (e.g., disable FTP for a user via checkboxes), set max connections (e.g., 5), and timeout (e.g., 300 secs).

Protocol notes: For SFTP/SCP, enable public key auth by uploading keys in user settings.

3. Setting Permissions

Permissions apply to home paths and additional paths (acting as virtual directories).

  1. After adding user: In Account Manager or Permissions screen, select user.
  2. Under "Permissions for accessible paths": Check boxes for:
    • Files: Read, Write, Delete.
    • Folders: List, Create, Delete.
  3. For directory-specific: Highlight a path > Edit permissions individually.
  4. Add new paths (virtual mappings): Click "Add path" > Enter alias (e.g., /uploads) and physical path (e.g., D:\Shared\Uploads).
  5. Delete unwanted paths with "Delete path."
  6. For AD/Windows: In Manage Server Settings > Authentication Methods > Click Next until Home Path Permissions screen, select account > Check permissions as above.

Security features: Restrict by IP (Manage Server Settings > Security Settings > IP restrictions), auto-block failed logins.

4. Managing Directories

Directories are tied to home paths and added paths.

  1. Create physical folders first (e.g., via Command line: mkdir C:\FTPRoot).
  2. In Sysax: Map as home or added paths (virtual for aliasing, e.g., /secure maps to hidden physical folder).
  3. Hidden files/folders: In Manage Server Settings > File Transfer Management > Manage Hidden Files and Folders, configure visibility.
  4. Centralized home paths for AD: Set in Manage Server Settings > Authentication Methods > Click Next until Centralized Home Paths > Define base directory (e.g., C:\Users\%username%).
  5. Apply NTFS for extra layer: Right-click folder > Security and Sync with Sysax permissions.

Testing Configurations

  • Server-side: Log changes in Sysax logs (Manage Server Settings > Administrative settings > Server Log Tab).
  • Client-side: Use Sysax FTP Automation - Create task > Connect with test user > Try upload/download to verify permissions (e.g., write should succeed/fail as set).
  • Cross-protocol: Test SFTP with WinSCP, HTTPS via browser.

Troubleshooting Common Issues

  • User Can't Log In: Check password, enabled protocols, IP restrictions. Verify AD connectivity if used.
  • Permission Denied: Double-check checkboxes and NTFS (use icacls /reset to reset if needed).
  • Directory Not Visible: Ensure list permission; check hidden settings.
  • AD Errors: Ensure server domain-joined; test with dsquery user.
  • Sysax-Specific: Restart service if changes don't apply (Services.msc > Sysax Multi Server > Restart).

Key Takeaways and Next Steps

Configuring users, permissions, and directories secures your transfers - use AD for enterprise scale, stand-alone for simplicity. Sysax's interface makes it beginner-friendly with protocol flexibility.

In the next tutorial (Security Best Practices), we'll harden your setup.


Practice: Add a test user in Sysax and restrict to read-only.


Glossary Additions:

Home Path: User's default landing directory.

Virtual Directory: Alias for a physical folder, enhancing security.


You're making great progress—keep experimenting!

« Previous: Installation and Initial Setup Up Next: Security Best Practices »


Copyright © 2025 Codeorigin, LLC - All Rights Reserved.
Terms | Privacy | Cookie free | Sitemap | Blog | Tutorial