Submit a ticketCall us

AnnouncementsAre You “Flying Blind?”

When it comes to your complex IT infrastructure, you want to ensure you have a good grasp of what’s going on to avoid any fire drills that result from guesswork. Read our white paper to learn how proactively monitoring your IT environment can help your organization while giving you peace of mind.

Get your free white paper.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Serv-U - Knowledgebase Articles > Serv-U Managed File transfer, Windows authentication

Serv-U Managed File transfer, Windows authentication

Table of contents
Created by Richard Casey, last modified by MindTouch on Jun 23, 2016

Views: 1,302 Votes: 0 Revisions: 4


Serv-U MFT Server supports Active Directory (AD) authentication. This article describes how administrators can use AD organizational units (OUs) to provide different levels of access to different AD users.


Serv-U version 12 running on Windows Domain


The Master Windows User Group:

Serv-U provides a master Windows User Group that sets the default home directory and other properties for all users who authenticate through AD. To configure this group, either:

  • Open Users| Windows Authentication, and click  Configure Windows User Group...
  • Open Groups | Windows Groups, and click Configure Windows User Group... 


SolarWinds recommends: If you do not have directories configured in each of your AD user accounts, check the Use Windows User Group home directory box on the User | Windows Authentication tab, and then set up a home directory and provide permissions to it via the Windows User Group configuration.


Mapping AD OUs to Serv-U Windows Groups:

To map AD OUs to Serv-U Windows Groups you must use the Add and Add Child buttons on the Groups | Windows Groups tab to replicate the hierarchy of OUs present in AD.

Once you have successfully mapped the hierarchy, you may edit the properties of each Windows Group to set limits, different home directories and different sets of virtual folders.


Deny Access To All Users Without OU-to-WindowGroup Maps

Check the Require fully-qualified group membership for login box to deny access to any AD user whose organizational unit has not been mapped.


Deny Access To Users in Specific OU-to-WindowGroup Maps

You may also turn off access for all users in specific OUs. To do this, make sure you have a proper OU to Windows Group mapping, and then uncheck the "Enable account" box in the group properties.




An existing AD for "" contains three organizational units in the MyBusiness\Users organization unit. Only users from the "blue team" and "red team" should be allowed to sign on.


To implement this configuration, an administrator used the "Add" and "Add Child" buttons to duplicate the OU hierarchy from AD. Notice that there is no separate entry for the domain (""), and that only two of the three organizations units present under "Users" in the AD is present on Serv-U.


Troubleshooting and Hints

If you are having trouble signing on or mapping Serv-U Windows Groups to AD OUs, try adding the domain name (e.g., "") to the "Windows Domain Name" field on the "Users | Windows Authentication" tab.

Remember that users in the built-in AD "Users" collection (right under the domain root) is NOT an addressable OU. (In other words, do not expect a Serv-U Windows Group named "Users" to apply properties to AD users from the built-in "Users" collection.)

To double-check the hierarchy necessary to address an AD user with a tree of Serv-U Windows Groups, open the target user in AD and look at the "Canonical Name" on the Object tab. (This also applies to intermediate organizational units.)

An easy way to tell if your mapping is correct is to apply a harmless Limit through the Serv-U Windows Group. For example, you might turn off access to Web Client Pro in one of your Windows Groups. Then, you know your group is mapped correctly when you sign on as an AD user in the applicable OU and your "Enable Web Client Pro" link is missing from the web client interface.



Last modified