Home Back to Tutorial Online Help

How to run Xlight FTP System Service using a non-admin account

Normally you should run Xlight FTP Server System Service using an account from the "Local Administrators" group. But if you want to run it using a non-admin account, you need to set the following:

For example. if you have a "test" user who belongs to the "Standard User" group, and you want the "test" user to run Xlight FTP server System Service.

1. The "test" account must be able to read and write Xlight FTP configuration files. There are 5 files: "ftpd.hosts","ftpd.option","ftpd.password", "ftpd.rules"."ftpd.users", you must give "test" user Full Control to those files.

For security reasons, from 3.9.2.5, Xlight FTP configuration files created can only be accessed by Administrators and the owner (the user who modified those files).

If you configured Xlight FTP before, opened Xlight GUI and cannot see any old settings. It could be that the current user is not the owner of those files. You need to change the owner to those files.

When Xlight is running as a System Service, configuration files will be modified only by Xlight FTP Service. The account running Xlight FTP service will be the owner of those files. The Xlight FTP GUI (Admin Console) needs the Administrator right to run, but will not modify them.


You must also give the "test" user Full Control of the folder where the Xlight FTP Server program resides, otherwise, there will be an error for Xlight GUI (Admin Console) talking to the Xlight FTP service program.


2. You need to modify Service Permission to allow the "test" user to start and stop service. You can use Sysinternals Process Explorer to modify Service Permissions.


3. If you use the SSL function, you need to give the user "test" Read access to the private key of the certificate. Launch MMC, add/remove Snapin and choose certificates. Find the correct certificate in the "Local Computer" group. Select it, right-click and choose "Properties > Manage Private Keys…". Add read permission for the "test" user.


If you are still using an old Windows Server OS, and cannot see the above menu. You may need to use "WinHttpCertCfg.exe" to allow the user access private key of the certificate. You can check the Microsoft link for how to download and use it

4. If you use the SFTP function, you need to give the user "test" Read access to the SSH host key. Goto folder "C:\ProgramData\Microsoft\Crypto" or "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto" or depending on the OS, the other place where the Microsoft Crypto Machine key is stored.

For the RSA SSH host key, go to sub-folder "RSA\MachineKeys", for the DSS SSH host key, go to sub-folder "DSS\MachineKeys". There may have several files under it, each file is related to one machine key. You can not tell which file is the SSH host key used by Xlight FTP by its name.

You need to find the file used by the Xlight FTP Server and give the "test" user Read permission. If you know the time the Xlight SSH host key is created or imported, then you can use it as a hint to find the correct file. If you don't know the time the SSH host key is created, you can try to give the user "test" read permission to one file at a time, then make an SFTP connection to the Xlight FTP Server and check if there is any error. If you can make an SFTP connection without any error, then you find the correct file.