In this post you will learn how to install an FTP server with PowerShell. I will show you how to configure the site name, port, and root folders. Then I will explain how to create FTP users, how to authenticate users, and how to configure the SSL policy and NTFS permissions.

Install the FTP feature ^

Before you can begin configuring your FTP server, you first need to install the required Windows features: FTP, the Web Server (IIS), and the Management Tools to administer it with PowerShell.

# Install the Windows feature for FTP
Install-WindowsFeature Web-FTP-Server -IncludeAllSubFeature
Install-WindowsFeature Web-Server -IncludeAllSubFeature  IncludeManagementTools
Install the FTP feature

Install the FTP feature

After the installation completes, import the WebAdministration module. This will map an Internet Information Services (IIS) drive (IIS:\) through which we will configure our FTP site later in this article.

# Import the module
Import-Module WebAdministration

Configuring the site name, port, and root folder ^

Now you can create a new FTP site using the New-WebFtpSite cmdlet by providing an FTP site name, root folder for your FTP site, and port number. I'm choosing port 21, which is the default FTP port, but you can also specify any custom port for your FTP site.

# Create the FTP site
$FTPSiteName = 'Default FTP Site'
$FTPRootDir = 'D:\FTPRoot'
$FTPPort = 21
New-WebFtpSite -Name $FTPSiteName -Port $FTPPort -PhysicalPath $FTPRootDir
Create the FTP site

Create the FTP site

After running the cmdlet, you'll see the FTP site and bindings in IIS Manager.

The FTP site in IIS

The FTP site in IIS

Create FTP users ^

After creating a new FTP site, you can create a Windows user or group through which you can control the access to the FTP server. Let's first create the Windows local group:

# Create the local Windows group
$FTPUserGroupName = "FTP Users"
$ADSI = [ADSI]"WinNT://$env:ComputerName"
$FTPUserGroup = $ADSI.Create("Group", "$FTPUserGroupName")
$FTPUserGroup.SetInfo()
$FTPUserGroup.Description = "Members of this group can connect through FTP"
$FTPUserGroup.SetInfo()

Then we will create a new local FTP user with a username and password:

# Create an FTP user
$FTPUserName = "FTPUser"
$FTPPassword = 'P@ssword123'
$CreateUserFTPUser = $ADSI.Create("User", "$FTPUserName")
$CreateUserFTPUser.SetInfo()
$CreateUserFTPUser.SetPassword("$FTPPassword")
$CreateUserFTPUser.SetInfo()

Later we will add the FTP user to the Windows group:

# Add an FTP user to the group FTP Users
$UserAccount = New-Object System.Security.Principal.NTAccount("$FTPUserName")
$SID = $UserAccount.Translate([System.Security.Principal.SecurityIdentifier])
$Group = [ADSI]"WinNT://$env:ComputerName/$FTPUserGroupName,Group"
$User = [ADSI]"WinNT://$SID"
$Group.Add($User.Path)
Create FTP group and users

Create FTP group and users

Authenticating FTP users to access FTP server data ^

Now we enable basic authentication on the FTP site and authorize the Windows group that contains the FTP user so it can access the FTP site.

# Enable basic authentication on the FTP site
$FTPSitePath = "IIS:\Sites\$FTPSiteName"
$BasicAuth = 'ftpServer.security.authentication.basicAuthentication.enabled'
Set-ItemProperty -Path $FTPSitePath -Name $BasicAuth -Value $True
# Add an authorization read rule for FTP Users.
$Param = @{
    Filter   = "/system.ftpServer/security/authorization"
    Value    = @{
        accessType  = "Allow"
        roles       = "$FTPUserGroupName"
        permissions = 1
    }
    PSPath   = 'IIS:\'
    Location = $FTPSiteName
}
Add-WebConfiguration @param
Enable basic authentication and an authorization rule

Enable basic authentication and an authorization rule

You can also check these settings under IIS Manager > FTP Site > FTP Authorization Rules.

Authorization rule in IIS

Authorization rule in IIS

SSL policy and NTFS permissions to the FTP root folder ^

Next, we change the SSL policy from Require SSL to Allow SSL connections.

$SSLPolicy = @(
    'ftpServer.security.ssl.controlChannelPolicy',
    'ftpServer.security.ssl.dataChannelPolicy'
)
Set-ItemProperty -Path $FTPSitePath -Name $SSLPolicy[0] -Value $false
Set-ItemProperty -Path $FTPSitePath -Name $SSLPolicy[1] -Value $false
Setting the SSL policy

Setting the SSL policy

The commands below set the NTFS permissions on the FTPRoot folder to allow the FTP user group to access the files.

$UserAccount = New-Object System.Security.Principal.NTAccount("$FTPUserGroupName")
$AccessRule = [System.Security.AccessControl.FileSystemAccessRule]::new($UserAccount,
    'ReadAndExecute',
    'ContainerInherit,ObjectInherit',
    'None',
    'Allow'
)
$ACL = Get-Acl -Path $FTPRootDir
$ACL.SetAccessRule($AccessRule)
$ACL | Set-Acl -Path $FTPRootDir
SSL policy and NTFS permissions

SSL policy and NTFS permissions

You can verify this from the FTP root folder properties under the Security tab.

NTFS Permissions on the folder

NTFS Permissions on the folder

After all the configurations are complete, it is advisable to restart the FTP site:

# Restart the FTP site for all changes to take effect
Restart-WebItem "IIS:\Sites\$FTPSiteName" -Verbose

You can then test the FTP server, which should allow you to access files, content, and directories under the FTP root folder.

Subscribe to 4sysops newsletter!

Testing the FTP server

Testing the FTP server

Conclusion ^

Setting up an FTP server on a Window server requires configuration at many levels. With PowerShell you can install Windows FTP features and create the FTP server with the detailed configuration very easily. You can also create new FTP users and authorize them to access the FTP root directory in an automated fashion. This can come in handy if you have to apply the same settings for several machines.

avatar
7 Comments
  1. Nelson 3 years ago

    Excellent post, thank you very much. I had some problems creating the local group, the local user and adding it to the group, I used these commands for that:

    # Create the local Windows group
    $FTPUserGroupName = "FMS FTP Users"
    New-LocalGroup -Name $FTPUserGroupName -Description "Members of this group can connect throgh FTP"
    # Create an FTP user
    $FTPUserName = "FtpManager"
    $FTPPassword = ConvertTo-SecureString "p@ssw0rd" -AsPlainText -Force
    New-LocalUser -Name $FTPUserName -Password $FTPPassword -Description "User account to access FMS FTP" -PasswordNeverExpires -UserMayNotChangePassword
    # Add an FTP user to the group FTP Users
    Add-LocalGroupMember -Name $FTPUserGroupName -Member $FTPUserName

  2. Alex 3 years ago

    The was fantastic and very detailed. I am going through trying to automate many repetitive tasks and setting up an FTP server was the next one in line. This is a huge help!

  3. I just tried to make a comment on this article.

    I don't think that [ ADSI ]"WinNT://$Etc" works when you have LSA disabled, which I do. Because apparently when you're in the world of Cyber Security... it's a good way to get trolled... learned my lesson with that one.

    At any rate... I have reworked this script. I included the local user parameters that Nelson suggested, as that is definitely easier to manage than using the shellsharpnet method that the author originally used.

    I've had issues using both methods. Despite that, I have a script in a testable format, feel free to scope it out and see if it works for you.

    I was looking to add a GUI module, but it's not high on my priority list at the moment.

    https://github.com/mcc85s/PSD-Remaster/blob/master/Provision-FTPServer.ps1

     

  4. Prabhu 2 years ago

    Is there a way to set SSL to No SSL in Binding and SSL settings screen please. 

  5. SRiram 1 year ago

    Hi ,

     

    Please let me know change FTP  password in powershell script.

     

    Thanks

    Sriram

  6. Some guy 10 months ago

    This guide is poisonous. It is entitled "Install and configure an FTP server with PowerShell", but provides instructions which install a full blown web server with way more features than is necessary for an FTP Server to run.

    The line
    "Install-WindowsFeature Web-Server -IncludeAllSubFeature -IncludeManagementTools" adds way too much unnecessary stuff for an FTP-only server.

  7. LOUIS 5 months ago

    Good article but some problem on Windows 10.

    Have you updated the script for Windows 10?

    best regards

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account