One of the main new features that come with Syncplify.me Server! v3.0 is true impersonation of Windows and Active Directory users.
Unlike previous versions, the new v3.0 actually impersonates the authenticated Windows or AD user and therefore accesses the underlying file system with such user’s privileges, limitations, and ACL. Syncplify.me Server!’s native file and directory permissions still apply, but they are applied only *after* the operating system rules, therefore they can further restrict the OS configuration, but not expand it (for safety reasons).
It must be totally clear that this article only refers to user profiles in Syncplify.me Server! that are marked either as “Windows User” or as “AD User”. This article does not apply to user profiles that are marked as “Normal User”.
So, when the authentication is delegated to the underlying operating system (Windows User) or to the Active Directory (AD User), the new Syncplify.me Server! v3.0 also allows – as an option – to specify the user’s home directory, as reported by the operating system, as his/her FTP(S)/SSH/SFTP root directory. In order to do so, you can simply type [USER_HOME] in the root directory field of the user profile configuration, as shown in the picture here below:
Of course, if we’re creating a profile for a single specific user, we could easily point his/her home directory to his/her OS home by specifying the full path. But this feature becomes critically important when it comes to configuring Group Profiles, as shown in the picture here below:
The above configuration allows every member of the “Users” group to log into Syncplify.me Server! and will put each user into his/her own specific home directory when they log in.
Please note: true impersonation is only possible when the user logs in using his/her Windows or AD password. Logging in with PKI is handled internally by Syncplify.me Server! and does not initiate the impersonation process. Therefore, if you need to authenticate your Windows/AD users via PKI we recommend you use multi-factor auth and authenticate them both with PKI and with their password.