Automating User Creation & Maintenance in WS_FTP Server
Generally the larger our systems get, the more of an administrative burden they become. More user accounts need creating for access; permissions and controls need to be set correctly for security purposes; and something or someone needs to keep a track of the changes taking place.
In the case of user administration, a lot of companies - and our customers are no exception - choose to use a centralised user database such as Microsoft Active Directory. Whereby user accounts can be administered from one central location and then effectively imported or referenced by other solutions in the network.
New accounts in the central repository are seen and copied; and anything removed or disabled will also cascade down to connected solutions.
Impractical Use of Centralised User Databases
This all sounds very idyllic and easy-to-use. However, in some cases, the use of a centralised user database is just not practical.
- When a solution has no network connectivity to a centralised user database - such as solutions in a DMZ or in the cloud.
- Where the solution is primarily targeted to a group of users who would not typically have an account in a central user database - we often see this with accounts for external parties.
It is often the case that we see a combination of both of these challenges when speaking to customers about user administration on FTP and SFTP servers.
Typically, file transfer solutions are outward facing and so need to be both in a secure network zone away from internal servers; and will be authenticating users who wouldn't be present on a user database anyway.
In these scenarios, we often see our customers making use of the internal database supplied with FTP and SFTP software. Which works just as well from the users perspective, but also tends to return to the same management issues written about earlier in this blog.
WS_FTP Server Command Line Administration
Here at Pro2col, we promote and work with WS_FTP Server which is a well-known and very popular file transfer server. While it has a web-based administration console, it can fall foul of the same user management issues that any solution comes up against. To help with these challenges, WS_FTP Server comes with a handy command line interface which can be used to script changes to user accounts, whether that be permission changes, new accounts or modifying account settings.
For default installations of WS_FTP Server, the executable to use for account management can be found at the following location:
C:\Program Files\Ipswitch\WS_FTP Server\WS_FTP Server\iftpaddu.exe
Creating User Accounts
Adding a new user account is relatively simple. The example below creates an account with a username, password and a full name which is optional and used for administrative purposes.
iftpaddu.exe -add -u userid -h hostname [-n "full name"] [-p password] [options]
iftpaddu.exe -add -u jessica -h sftp.acs.co.uk -n "Jessica Reynolds" -p Password1
Note. WS_FTP Server can support multiple named hosts, hence the need to specify which host this user account is being added to.
There have been instances in the past, when assisting customers who are migrating from another FTP/SFTP solution to WS_FTP Server, where we have used this method to script the creation of multiple hundreds of accounts. By simply running this command as a batch script with a CSV file, you can eliminate hours of painstaking manual work into an automated process.
Modifying Existing Accounts
Where there is a requirement to modify a user account, the command line executable can take care of this too by switching the argument from "add" to "mod".
iftpaddu.exe -mod -u userid -h hostname [options]
iftpaddu.exe -mod -u jessica -h sftp.acs.co.uk -p AStrongerPassw0rd1
In the above example, we have modified the previous password assigned to our account with a new and ever-so-slightly stronger one.
You might wonder what the purpose of the modification command is outside of changing passwords. In some cases we have been asked if it is possible to mandate a particular setting - such as lock to home folder - in the web-based administration interface, when admins create new accounts there.
Modifying Multiple Accounts
This is not possible, but what we have done is to create a user modification script which runs on a scheduled, setting all accounts to be locked to their home folders. Which means if it isn't set at user creation, it will be the next time the scheduled script executes.
An example of doing just this is below. Note that the "mod" argument is now changed to "all". As the script is to modify all accounts, rather than one individually.
iftpaddu.exe -all -h hostname [options]
iftpaddu.exe -all -h sftp.acs.co.uk +lock
The final scripted task which we might want to run against our internal WS_FTP Server user accounts is deletion.
In this case we use the ominous argument "kill".
iftpaddu.exe -kill -u userid -h hostname
iftpaddu.exe -kill -u jessica -h sftp.acs.co.uk
When using delete, there is no scope for deleting all accounts; and there are no options to be set. The user account will be removed from the internal database, along with any assigned settings.
The above examples are very basic and you will have noticed referenced "options". For further information about what those options are, take a look at the WS_FTP Server online help document and search for "Managing Users from the Command Line".
If you would like further information about WS_FTP Server, managing users using a command line interface or other assistance with file transfer solutions. You can book a short call with one of our solution specialists. We have over twelve years of experience working with file transfer solutions and would be happy to speak with you.