RWW: Allow only OWA to one user group, allow OWA and Remote Desktop to another user group?

Hi Folks,

My customer wants her field sales reps to access only OWA, but wants her execs
to access both OWA and Remote Desktop.

Is this doable? I know how to disable particular RWW features for all users,
but not sure whether it can be done selectively, based on user group.

Thanks.

Frank




Frank Denman
Denman Systems

Please delete the "x" from my email address.

 

Hello Frank,

Thank you for posting to the SBS Newsgroup.

I understand that you want to enable OWA on all domain clients, but disable
Remote Desktop feature on some domain clients. If I have misunderstood your
concern, please let me know.

To enable OWA, you need to rerun CEICW. Check the box "Outlook Access".

a. Open Server Management\Standard Management\To Do Lists.

b. Click Connect to the Internet.

c. Run the Configure E-mail and Internet Connection Wizard.

d. Connection Type: Do not change Connection Type.

e. Firewall: Enable Firewall.

f. On the "Web Services Configuration", make sure "Allow access to the
entire Web site from the Internet" is selected. If you select "Allow access
to only the following Web site services from the Internet", make sure
"Outlook Web Access" and "Remote Web Workplace" are checked. Click Next.

g. Go through the remaining steps.

For more detail steps, please see:

825763 How to configure Internet access in Windows Small Business Server
2003
http://support.microsoft.com/?id=825763

==========

I am not sure what OS is running on your client workstations, please note
Remote Desktop is only available in Windows XP Professional.

So if your client workstations are running Windows XP Professional, please
see my following steps:

1. Open Group Policy Management from Administrative Tools.

2. Expand to Forest\Domains\DomainName\Group Policy Objects.

3. Right click Small Business Server Remote Assistance Policy and select
Edit.

4. Expand to Computer Configuration\Administrative Templates\Windows
Components\Terminal Services.

5. Double-click the Allows users to connect remotely using Terminal
Services setting. To disable Remote Desktop, click Disabled.

6. Close the Group Policy Object Editor Window.

7. Open Active Directory Users and Computes window.

8. Expand to DomainName\MyBusiness\Computers\SBSComputers.

9. Right click SBSComputers, select New -> Organizational Unit.

10. Move those computers which you want to disable RDP from SBSComputers to
the New OU you just created in step 9.

11. Link the GPO "Small Business Server Remote Assistance Policy" to "Group
Policy Management\ Forest\Domains\DomainName\MyBusiness\Computers\New OU".

12. Open a command window, type "gpupdate" (without quotation marks) to
update the new group policy.

13. Test the issue.

For more detail information, please see:

Enable or disable Remote Desktop
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/1e4a44de-2be1-4d29-9387-9f04b79cc17a.mspx

306300 How to Disable Remote Desktop by Using Group Policy
http://support.microsoft.com/?id=306300

Hope this information helps. If you have any further questions or concerns,
please feel free to let me know. I am looking forward to hearing from you!

Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

 

Hi Brandy,

I think we're not quite on the same page. You have provided instructions for
placing selected computers in a new OU and then disabling Remote Desktop for
computers in the new OU.

What I need to do is place selected *users* in a new User Group and then deny
use of Remote Desktop to that User Group. I have lots of email users who never
touch an office computer; I want them to see their email in OWA but *not* to be
able to RDP to any computers on the LAN.

Perhaps this is not really an RDP question. Maybe what I should be asking is
whether I can deny a User Group the right to log on either at the console or
via RDP but still allow the User Group to view/send email in OWA.

Thanks for your help.

Frank
---------------------------

Frank Denman
Denman Systems

Please delete the "x" from my email address.

 

I think you'll find a Remote Web Workplace Users group. Members of this
group can <guess what>. OWA is configured seperately - in the Exchange
Features tab of the user properties.

I think you'll be able to take it from here ;-).

 

Hello Frank,

Thank you for posting back!

Thanks a lot for Les' input!

From your reply, I understand that you want to disable some clients to use
RDP from the Internet. I am not sure how they use RDP from the Internet,
through VPN or RWW. So please see my following general suggestions:

Because members of the Remote Desktop Users group are granted the right to
logon remotely through RDP, we can deny them to use RDP through Group
Policy method. To do so,

1. Right click Small Business Server Remote Assistance Policy and select
Edit.

2. Computer Configuration\Windows Settings\Security Settings\Local
Polices\User Rights Assignment.

3. On the right pane, double click "Deny log on through Terminal Services".

4. Check the box "Define these policy settings".

5. Click "Add User or Group" and add the users in.

6. Apply this GPO to the OU you want to deny to use RDP.

If you have any further questions or concern, please feel free to let me
know. I am looking forward to hearing from you!


Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

 

Thank you, Les & Brandy. Problem solved!

Frank

Frank Denman
Denman Systems

Please delete the "x" from my email address.

 

Hello Frank,

Thank you for posting back and keeping us updated!

I am glad to hear that thing is working correctly on your side now. If you
need any assistance regarding SBS server in the future, please feel free to
post back to this Great Newsgroup. We are glad to be working with you
again!

Again, thank you for using Microsoft newsgroup. Have a nice day!


Best regards,

Brandy Nee

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

<>