Submit a ticketCall us

Get a crash course on Network Monitoring delivered right to your inbox
This free 7-day email course provides a primer to the philosophy, theory, and fundamental concepts involved in IT monitoring. Lessons will explain not only how to perform various monitoring tasks, but why and when you should use them. Sign up now.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Windows Groups and organizational units (OUs) in Serv-U

Windows Groups and organizational units (OUs) in Serv-U

Updated April 11, 2017

Overview

Serv-U MFT Server supports Active Directory (AD) authentication. This article describes how administrators can use AD organizational units (OUs) to provide different levels of access to different AD users.

 

Environment

All Serv-U versions

Steps

The master Windows User Group

Serv-U provides a master Windows User Group that sets the default home directory and other properties for all users who authenticate through AD.  To configure this group:

Open Users > Windows Authentication,  and then click Configure Windows User Group....

OR

Open Groups > Windows Groups,  and then click Configure Windows User Group....

 

If you do not have home directories configured in each of your AD user accounts:

  1. Click User > Windows Authentication.
  2. Select Use Windows User Group home directory.
  3. Set up a home directory and provide permissions to it via the Windows User Group configuration.

Map AD OUs to Serv-U Windows Groups

Click Groups > Windows Groups, and then select Add or Add Child to replicate the hierarchy of OUs present in AD.

Once you have mapped the hierarchy, you may edit the properties of each Windows Group to set limits, different home directories and different sets of virtual folders.

Deny access to all users without OU-to-WindowGroup Maps

Select Require fully-qualified group membership for login to deny access to any AD user whose organizational unit has not been mapped.

Deny access to users in specific OU-to-WindowGroup Maps

You can disable access for all users in specific OUs. You must have a proper OU to Windows Group mapping, and then clear Enable account in the Group Properties.

Example

An existing AD for mydomain.com contains three organizational units in the MyBusiness\Users organization unit. Only users from the blue team and red team should be allowed to sign in.

 

To implement this configuration:

  1. Log in as an administrator.
  2. Click Groups > Windows Groups, and then select Add or Add Child to duplicate the OU hierarchy from AD.

Notice that there is no separate entry for the domain:  mydomain.com,  and that only two of the three organization units present under Users in the AD is present on Serv-U.

Troubleshoot

If you are having trouble signing in or mapping Serv-U Windows Groups to AD OUs, add a domain name:

  1. Go to Users > Windows Authentication tab.
  2. Enter your domain name, for example, mydomain.com in the Windows Domain Name field.

 

Remember that users in the built-in AD Users collection (under the domain root) is NOT an addressable OU.

Do not expect a Serv-U Windows Group named Users to apply properties to AD users from the built-in Users collection.

 

To double-check the hierarchy necessary to address an AD user with a tree of Serv-U Windows Groups:

  1. Open the target user in AD.
  2. Locate Canonical Name on the Object tab. (This also applies to intermediate organizational units.)

 

To confirm that your mapping is correct, apply a Limit through the Serv-U Windows Group. For example, you might turn off access to Web Client Pro in one of your Windows Groups. Then, you know your group is mapped correctly when you sign in as an AD user in the applicable OU and your Enable Web Client Pro link is missing from the Web Client interface.

 

 

 

Last modified
22:44, 11 Apr 2017

Tags

Classifications

Public