RWW: Allow only OWA to one user group, allow OWA and Remote Desktop to another user group?

Discussion in 'Windows Small Business Server' started by Frank B Denman, Nov 9, 2005.

  1. Hi Folks,

    My customer wants her field sales reps to access only OWA, but wants her execs
    to access both OWA and Remote Desktop.

    Is this doable? I know how to disable particular RWW features for all users,
    but not sure whether it can be done selectively, based on user group.

    Thanks.

    Frank




    Frank Denman
    Denman Systems

    Please delete the "x" from my email address.
     
    Frank B Denman, Nov 9, 2005
    #1
    1. Advertisements

  2. Hello Frank,

    Thank you for posting to the SBS Newsgroup.

    I understand that you want to enable OWA on all domain clients, but disable
    Remote Desktop feature on some domain clients. If I have misunderstood your
    concern, please let me know.

    To enable OWA, you need to rerun CEICW. Check the box "Outlook Access".

    a. Open Server Management\Standard Management\To Do Lists.

    b. Click Connect to the Internet.

    c. Run the Configure E-mail and Internet Connection Wizard.

    d. Connection Type: Do not change Connection Type.

    e. Firewall: Enable Firewall.

    f. On the "Web Services Configuration", make sure "Allow access to the
    entire Web site from the Internet" is selected. If you select "Allow access
    to only the following Web site services from the Internet", make sure
    "Outlook Web Access" and "Remote Web Workplace" are checked. Click Next.

    g. Go through the remaining steps.

    For more detail steps, please see:

    825763 How to configure Internet access in Windows Small Business Server
    2003
    http://support.microsoft.com/?id=825763

    ==========

    I am not sure what OS is running on your client workstations, please note
    Remote Desktop is only available in Windows XP Professional.

    So if your client workstations are running Windows XP Professional, please
    see my following steps:

    1. Open Group Policy Management from Administrative Tools.

    2. Expand to Forest\Domains\DomainName\Group Policy Objects.

    3. Right click Small Business Server Remote Assistance Policy and select
    Edit.

    4. Expand to Computer Configuration\Administrative Templates\Windows
    Components\Terminal Services.

    5. Double-click the Allows users to connect remotely using Terminal
    Services setting. To disable Remote Desktop, click Disabled.

    6. Close the Group Policy Object Editor Window.

    7. Open Active Directory Users and Computes window.

    8. Expand to DomainName\MyBusiness\Computers\SBSComputers.

    9. Right click SBSComputers, select New -> Organizational Unit.

    10. Move those computers which you want to disable RDP from SBSComputers to
    the New OU you just created in step 9.

    11. Link the GPO "Small Business Server Remote Assistance Policy" to "Group
    Policy Management\ Forest\Domains\DomainName\MyBusiness\Computers\New OU".

    12. Open a command window, type "gpupdate" (without quotation marks) to
    update the new group policy.

    13. Test the issue.

    For more detail information, please see:

    Enable or disable Remote Desktop
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
    rHelp/1e4a44de-2be1-4d29-9387-9f04b79cc17a.mspx

    306300 How to Disable Remote Desktop by Using Group Policy
    http://support.microsoft.com/?id=306300

    Hope this information helps. If you have any further questions or concerns,
    please feel free to let me know. I am looking forward to hearing from you!

    Best regards,

    Brandy Nee

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.



    --------------------
     
    Brandy Nee [MSFT], Nov 10, 2005
    #2
    1. Advertisements

  3. Hi Brandy,

    I think we're not quite on the same page. You have provided instructions for
    placing selected computers in a new OU and then disabling Remote Desktop for
    computers in the new OU.

    What I need to do is place selected *users* in a new User Group and then deny
    use of Remote Desktop to that User Group. I have lots of email users who never
    touch an office computer; I want them to see their email in OWA but *not* to be
    able to RDP to any computers on the LAN.

    Perhaps this is not really an RDP question. Maybe what I should be asking is
    whether I can deny a User Group the right to log on either at the console or
    via RDP but still allow the User Group to view/send email in OWA.

    Thanks for your help.

    Frank
    ---------------------------

    Frank Denman
    Denman Systems

    Please delete the "x" from my email address.
     
    Frank B Denman, Nov 10, 2005
    #3
  4. I think you'll find a Remote Web Workplace Users group. Members of this
    group can <guess what>. OWA is configured seperately - in the Exchange
    Features tab of the user properties.

    I think you'll be able to take it from here ;-).
     
    Les Connor [SBS Community Member - SBS MVP], Nov 10, 2005
    #4
  5. Hello Frank,

    Thank you for posting back!

    Thanks a lot for Les' input!

    From your reply, I understand that you want to disable some clients to use
    RDP from the Internet. I am not sure how they use RDP from the Internet,
    through VPN or RWW. So please see my following general suggestions:

    Because members of the Remote Desktop Users group are granted the right to
    logon remotely through RDP, we can deny them to use RDP through Group
    Policy method. To do so,

    1. Right click Small Business Server Remote Assistance Policy and select
    Edit.

    2. Computer Configuration\Windows Settings\Security Settings\Local
    Polices\User Rights Assignment.

    3. On the right pane, double click "Deny log on through Terminal Services".

    4. Check the box "Define these policy settings".

    5. Click "Add User or Group" and add the users in.

    6. Apply this GPO to the OU you want to deny to use RDP.

    If you have any further questions or concern, please feel free to let me
    know. I am looking forward to hearing from you!


    Best regards,

    Brandy Nee

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.



    --------------------
     
    Brandy Nee [MSFT], Nov 11, 2005
    #5
  6. Thank you, Les & Brandy. Problem solved!

    Frank

    Frank Denman
    Denman Systems

    Please delete the "x" from my email address.
     
    Frank B Denman, Nov 15, 2005
    #6
  7. Hello Frank,

    Thank you for posting back and keeping us updated!

    I am glad to hear that thing is working correctly on your side now. If you
    need any assistance regarding SBS server in the future, please feel free to
    post back to this Great Newsgroup. We are glad to be working with you
    again!

    Again, thank you for using Microsoft newsgroup. Have a nice day!


    Best regards,

    Brandy Nee

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security
    ======================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.



    --------------------
    <>
     
    Brandy Nee [MSFT], Nov 15, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.