Active Directory (AD) users are impersonated by Cerberus when they login to the server. User impersonation means that all file access and file operations carried out by that AD user are done as if it were the actual AD user logged into the machine and carrying out those operations.
For native Cerberus users, there is no impersonation going on. The Cerberus FTP Server Windows Service is performing file access operations under whatever account is running the service. Cerberus runs under the Local System account by default. This means that directories and files are created under and owned by the Local System account whenever Cerberus users perform file operations.
Problems can occur because AD users usually do not have permission to delete files or directories created under the Local System account. This problem is common when mixing AD users and native users.
One solution is to run the Cerberus FTP Server Windows Service under a different account from Local System. Perhaps under a domain user account.
There are two caveats to changing the underlying service account. One is that the existing Cerberus settings files were created under the Local System account, so switching the Cerberus Windows Service to another account will probably mean that the service will not be able to overwrite the existing Local System account-created settings files. This will lead to errors when the service tries to save and settings or user changes. The problem is relatively easy to fix. You just have to adjust the ownership of the Cerberus settings directory and all sub directories and files to the new account running the service.
The settings files are all in
C:\ProgramData\Cerberus LLC\Cerberus FTP Server
on Windows Vista, Windows 2008 and above
The second issue is that the service will always be reset to use Local System account whenever you upgrade. You have to switch the service account back to the domain account after upgrading to a new version.