How to configure Windows/AD group users

The Automatic Windows authentication method allows login of any Windows or Active Directory (AD) user without having to manually add each user to CompleteFTP's internal user-list. AD users logging in by this method can use either of two user name formats:

  1. User Principal Name (UPN) specified an Internet-style name, i.e. MyUserName@MyDomain. Note that the part of the name after the @ symbol are sometimes just the domain name and other times are the fully qualified domain name, e.g. MyUserName@MyDomain.com. Both formats can be supported by setting the Default Domain such that both are included (see below)
  2. Down-Level Logon Name specifies a more traditional name, i.e. MyDomain\MyUserName.

The feature may be enabled by checking the checkbox in the Enabled column.

In the Professional and Enterprise Editions logins may be restricted to one or more Active Directory (AD) or local groups in the Configuration form (opened by the Configure link).

Windows/AD group authenticator

Setting a default domain

Once Automatic Windows authentication is set up, local Windows users and domain users will be able to log in. However, to log in AD users, their domain name must be supplied so CompleteFTP knows what domain they are in. For example, MyDomain\MyUserName. However, a default Windows domain can be set so that the domain name prefix is not required.

Multiple default domains may be specified as default domains in a comma-separated list, e.g. MyDomain,MyDomain.com. If no domain name is specified then CompleteFTP tries each of them until it's successful. Additionally, if any one of the listed domain names is specified then all are tried until one is successful. As mentioned in the introduction, this may be used to allow, for example, both MyUserName@MyDomain and MyUserName@MyDomain.com to work.

See here for more details of how to do this from the General User Settings.

Configuring Automatic Windows authentication

The Automatic Windows authentication method allows login of any Windows or Active Directory user without having to manually add each user to CompleteFTP's internal user-list. Logins may be restricted to one or more Active Directory (AD) or local groups. These groups should be listed in the AD/Windows Group column. Each AD/Windows group may be associated with multiple CompleteFTP groups, a specific log-in-as user, which will override the one set for the authenticator in the Authenticators panel, and a Windows home folder.

Configure Windows/AD group configuration
AD/Windows Group

Name of the AD or Windows group that's to be permitted. AD groups are usually of the pattern MyDomain\MyGroup and Windows groups are specified just be MyGroup. If you're unsure about the exact name of an AD group then enter what you think it should be have the user attempt to log in. If the user entered the correct user-name and password, but was disallowed because they're not in an allowed group then a list of all the groups that they're a member of will be shown in the realtime log (and log file).

CompleteFTP Group

Users who authenticate successfully because they're a member of the AD/Windows group in this row will be made members of the CompleteFTP groups in this field. This can be useful for controlling access to folders in the virtual file-system.

Log-in-as User

Although a log-in-as user is defined for the Windows/AD group authenticator, as a whole, it may be overridden by the log-in-as user defined for the AD/Windows group of this row. The authenticated user will inherit the user settings of the log-in-as user, including their CompleteFTP group membership, although the set of groups of which they're a member may be added to using the CompleteFTP Groups column in this table. The home folder may also be overridden (see Home Folder).

Home Folder Path Override

The path of the home folder of users authenticated by the AD/Windows group of this column may be overrridden by setting the value of this column to that of a Windows directory. Clicking on the ellipsis button will open a server folder-browser. Macros, such as %UserName%, may be used in the path, e.g. C:\FTP\Group1\%UserName%.

Note that the way in which the value of this column is interpreted depends on the folder type of the home folder of the log-in-as user being used. If it's a Windows or Network/macro folder then it will be interpreted as a Windows path (with the optional inclusion of macros) because that's the way those folder types interpret that field, but if it's another folder type, such as a custom folder type, then it will be interpreted in the way native to that folder type.

For detailed instructions, please refer to Step-by-step guide: Allow all users from a Windows group to log in.

As mentioned above, by default, users connecting via this authenticator are subject to the settings of the "defaultWindows" user. This user may be found in the Users panel if the "Show system users/folders/sites" in the main form's Options menu is checked, as shown below.

Default Windows

The administrator may, for example, enable only certain protocols for Automatic Windows user connections. If distinct settings are required for specific users then those users should be added explicitly as Windows users in the Users panel.