Documentation forServ-U MFT & Serv-U FTP Server

Serv-U global users

You can add users at the global or domain level.

  • Global users are defined at the server level and have access to all domains.
  • Domain users are defined for the specific domain, and only have access to that domain.

For information on Domain users, see the Domain Users topic.

You can create users quickly using the wizard, or manually enter user properties for more precise set-up.

View and add users at the global level

  1. Click Global in the navigation column.
  2. Click Users.

Add a user using the wizard

  1. Click the Wizard button. The User Wizard is displayed.

  2. Enter a unique login ID for the user.

    Login IDs cannot contain any of the following special characters:

    \ / < > | : . ? *

    Two special login IDs exist: Anonymous and FTP. These are synonymous with one another, and can be used for guests. They do not require a password, so the Password field should be left blank. Serv-U requires users who log on with one of these accounts to provide their email address to complete the login process.

  3. Optionally, enter a name and email address for this user.
  4. Click Next.
  5. Enter a password for this user, or accept the suggested eight character, complex password.

    You can leave the password blank, which will enable anyone knowing the login ID to access this account.

    You can place restrictions on the length and complexity of passwords, and disable the automatic password generator if required.

  6. Check the box if you want the user to create their own password when they first login.
  7. Enter or navigate to the home directory for this user. This is where the user is placed immediately after logging in to the file server. This must be specified using a full path including the drive letter or the UNC share name.

    When you specify the home directory, you can use the %USER% macro to insert the login ID in to the path. This is used mostly to configure a default home directory at the group level or within the new user template to ensure that all new users have a unique home directory. When it is combined with a directory access rule for %HOME%, a new user can be configured with a unique home directory and the appropriate access rights to that location with a minimal amount of effort.

    You can also use the %DOMAIN_HOME% macro to identify the user's home directory. For example, to place a user's home directory into a common location, use %DOMAIN_HOME%\%USER%.

    The home directory can be specified as "\" (root) in order to grant system-level access to a user, allowing them the ability to access all system drives. In order for this to work properly, the user must not be locked in their home directory.

    Check the Lock user in home directory box if you want this user's access to be restricted to this directory.

  8. Click Next.
  9. Select Read Only Access if you want this user to only be able to browse and download files or Full Access if you want to grant the user full control of files and directories in their home directory.
  10. Click Finish.
  11. The user is added to the list of users. You can edit this user if you want to apply more advanced settings.

Add a user manually

  1. Click the Add button.

    The User Properties window is displayed.

  2. Enter a unique login ID for the user.

    Login IDs cannot contain any of the following special characters:

    \ / < > | : . ? *

    Two special login IDs exist: Anonymous and FTP. These are synonymous with one another, and can be used for guests. They do not require a password, so the Password field should be left blank. Serv-U requires users who log on with one of these accounts to provide their email address to complete the login process.

  3. Enter a name for this user.
  4. Enter a password for this user, or click the lock button to create an eight character, complex password.

    You can leave the password blank, which will enable anyone knowing the login ID to access this account.

    You can place restrictions on the length and complexity of passwords through User limits. For more information about password limits, see User Limits and Settings - Passwords.

  5. Enter or navigate to the home directory for this user. This is where the user is placed immediately after logging in to the file server. This must be specified using a full path including the drive letter or the UNC share name.

    When you specify the home directory, you can use the %USER% macro to insert the login ID in to the path. This is used mostly to configure a default home directory at the group level or within the new user template to ensure that all new users have a unique home directory. When it is combined with a directory access rule for %HOME%, a new user can be configured with a unique home directory and the appropriate access rights to that location with a minimal amount of effort.

    You can also use the %DOMAIN_HOME% macro to identify the user's home directory. For example, to place a user's home directory into a common location, use %DOMAIN_HOME%\%USER%.

    The home directory can be specified as "\" (root) in order to grant system-level access to a user, allowing them the ability to access all system drives. In order for this to work properly, the user must not be locked in their home directory.

  6. Select the Administration Privilege for this user. This can be:

    No Privilege A regular user account that can only transfer files to and from the File Server. The Serv-U Management Console is not available.
    Group Administrator A Group Administrator can only perform administrative duties relating to their primary group (the group that is listed first in their Groups memberships list). They can add, edit, and delete users which are members of their primary group, and they can also assign permissions at or below the level of the Group Administrator. They may not make any other changes.
    Domain Administrator

    A Domain Administrator can only perform administrative duties for the domain to which their account belong, and is also restricted from performing domain-related activities that may affect other domains. The domain-related activities that may not be performed by Domain Administrators are:

    • configuring their domain listeners
    • configuring or administering LDAP groups
    • configuring ODBC database access for the domain
    System Administrator A System Administrator can perform any file server administration activity including creating and deleting domains, user accounts, and even updating the license of the file server. A user account with System Administrator privileges logged in through HTTP remote administration can administer the server as if they had physical access to the server.
    Read-only Group/Domain/Server Administrator Read-only administrator accounts can allow administrators to log in and view configuration options at the group, domain or server level, greatly aiding remote problem diagnosis when working with outside parties. Read-only administrator privileges are identical to their full-access equivalents, except that they cannot change any settings, and cannot create, delete or edit user accounts.
  7. If you have the MFT edition of Serv-U, you can specify a SSH public key to be used to authenticate a user when logging in to the the Serv-U File Server. The public key path should point to the key file in a secured directory on the server. This path can include the following macros:

    %HOME%

    The home directory of the user account.

    %USER%

    The login ID, used if the public key will have the login ID as part of the file name.

    %DOMAIN_HOME%

    The home directory of the domain, set in Domain Details > Settings, used if the keys are in a central folder relative to the domain home directory.

    Examples:

    %HOME%\SSHpublic.pub

    %HOME%\%USER%.pub

    %DOMAIN_HOME%\SSHKeys\%USER%.pub

    For information on SSH public key authentication, adding a SSH key pair, and creating an key pair for testing, see New SSH Key Pair Creation.

  8. Select the account type. By default, all accounts are permanent and exist on the file server until they are manually deleted or disabled. You can configure an account to be automatically disabled or even deleted on a specified date by configuring the account type. After selecting the appropriate type, the Account Expiration Date control is displayed. Click the calendar or expiration date to select when the account should be disabled or deleted.

    The account is accessible until the beginning of the day on which it is set to be disabled. For example, if an account is set to be disabled on 15 July 2015, the user can log in until 14 July 2015, 23:59.

  9. Select the default web client to be displayed when a user logs in.

    If you have the MFT edit, users connecting to the file server through HTTP can choose which client they want to use after logging in. Instead of asking users which client they want to use, you can also specify a default client. If you change this option, it overrides the option specified at the server or domain level. It can also be inherited by a user through group membership. Use the Inherit default value option to reset it to the appropriate default value.

  10. Enter an Email address for this user. Type an email address here to allow password recovery for the user account.

    For the MFT edition, this email address can also be used for event notifications.

  11. Check or uncheck the following checkboxes:

    Enable account

    Deselect this option to disable the current account. Disabled accounts remain on the file server but cannot be used to log in. To re-enable the account, select the Enable account option again.

    Lock user in home directory

    Users locked in their home directory may not access paths above their home directory. In addition, the actual physical location of their home directory is masked because Serv-U always reports it as "/" (root). The value of this attribute can be inherited through group membership.

    Always allow login

    Enabling this option means that the user account is always permitted to log in, regardless of restrictions placed upon the file server, such as maximum number of sessions. It is useful as a fail-safe in order to ensure that critical system administrator accounts can always remotely access the file server. As with any option that allows bypassing access rules, care should be taken in granting this ability. The value of this attribute can be inherited through group membership.

    Enabling the Always Allow Login option does not override IP access rules. If both options are defined, the IP access rules prevail.

    User must change password at next login

    If enabled, the user will be prompted to change their password when they next log in.

    This option takes priority to the "Allow user to change password" setting on the Limits & Setting tab. This means even if that setting is set to No, checking this box still will require the user to change their password.

  12. Enter an optional description of this user account.
  13. Click Availability if you want to place limits on when this user can log in.
    1. Check Apply limit and select the start and end time to specify the period this user may log in.
    2. Tick the checkboxes for the days of the week on which this user may log in.
  14. Click Welcome Message if you want to sent a welcome message to this user when they log in. This may also be set at the Group level.

    The welcome message is a message that is traditionally sent to the FTP client during a successful user login. Serv-U extends this ability to HTTP so that users accessing the file server through the Web Client or FTP Voyager JV also receive the welcome message. This feature is not available to users logging in through SFTP over SSH2, because SSH2 does not define a method for sending general text information to users.

    1. Check Include if you want to include the response code in the welcome message test when an FTP connection is made.
    2. Either:
      • Select or navigate to a message file if you have already created a text file containing a welcome message.

      or:

      • Check the Override box, and enter a message specific to this user in the text box above it.
    3. Click Save.

Advanced settings

Once you have added the User information you can use the following tabs on this window to complete the user setup.

Directory Access Directory access rules define the files and directories that the user has permission to access. At the user level, these rules are inherited from any groups the user belongs to as well as those rules defined at the domain and server level.
Virtual Paths Virtual paths are used to link a physical path that is outside the directory structure of the user's home directory into the directory listings received by that user.
Logging This tab provides checkboxes to configure what information you want to be logged.
Groups From the User Properties window you can select groups to which you want to add a user. Group membership allows you to assign various basic attributes to users that are members of the group.
Events MFT only: Events let you automatically run programs, send email and show messages when triggered by Serv-U activities.
IP Access Set up and maintain Server IP access rules so that specific IP address can be allowed or denied access to all your file server domains. These are checked when a physical connection is established with the file server, but before a welcome message is sent.
Limits & Settings There are many options that can be applied at the user level. You can specify on which days and at which time these limits apply.

The User Template

While the New User Wizard provides a way to quickly create a user account with the minimum number of required attributes, most File Server administrators have a collection of settings that they want all user accounts to abide by. Groups are the best way to accomplish this task, however, there are times when it may not be the course of action you want.

Serv-U allows an administrator to configure a template for new user accounts by clicking Template. You can configure the template user just like any other user account, with the exception of a login ID. After these settings are saved to the template, all new user accounts that are manually created are done so with their default settings set to those found within the template.

By using user templates, you can add users to a specific default group. If you set up the user template as a member of the group you want all users to be a member of. This way, when new users are created, they will automatically be added to the particular group which is specified in the user template.

Edit a user

Select a user and click Edit to open the User Properties window with the selected user's information.

Copy a user

Select a user and click Copy to open the User Properties window with the selected user's information. You will need to supply at least a new Login ID to save the new user.

User collections (MFT only)

In Serv-U MFT Server, you can organize user accounts into collections to make account management more logical and organized. This can be useful when you manage all users from a department or physical location. For example, you can place all users in the accounting department in a collection named Accounting, or place all users at an office in Topeka in a collection named Topeka Users.

To create a collection, click Add in the Select user collection area in the users window. In the new window, type the name of your collection, and then click Save. You can add users to this new collection by selecting them and clicking Add below the user list. To move a user from one collection to another, click Move below the user list, and then select the destination collection for the highlighted user accounts. You can also rename or delete collections by using the appropriate button.

When deleting a collection, all user accounts contained in that collection are deleted, too. If you want to keep the user accounts, make sure you move them before deleting the collection.

By default, all users are created in the General user collection.

Recovering passwords

Serv-U supports password recovery both through the Management Console and through the Web Client. For password recovery to be available, you must configure the SMTP options for the server or domain, and the user account must have an email address listed. To use password recovery from the user page:

  1. Select the user's account.
  2. Click Recover Password.
    • If the password is stored using one-way encryption, the password will be reset and the new password will be sent to the user's email address.
    • If the password is stored using two-way encryption or no encryption, the original password will be sent by email.

Password Recovery from the Web Client requires that the Allow users to recover password limit be enabled for the user account. Once this option is enabled, users can use the Recover Password option in the Web Client. Password Recovery from the Web Client otherwise works the same as from the Management Console.