Remote Web Workplace access
- I have some users who I specifically set to DENY ACCESS in the Dial-In tab of Active Directory, yet they are still able to log into their computers and the server. Any ideas?
- Moved byWilson JiaMSFT, ModeratorWednesday, November 04, 2009 2:52 AM (From:General)
Answers
- Hi Repnescasb,
You can use the option "Deny this user permissions to log on the Remote Desktop Session Host Server" which is under the user account's Properties -> Terminal Service profile to restrict user remote logon.
Best Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byWilson JiaMSFT, ModeratorFriday, November 06, 2009 3:06 AM
All Replies
- The DENY Access attribute found in the "Dial-Up" tab is specifically used for Remote Access. If you want to restrict which computers the user can login to, there are a few ways you can go about this.
If it is a single user, or just a handful, you can access the user's properties, click on the "Account" tab, then click on "Log On To". There you can type in the names of the computers that the user can login to. If you do not want the user to be able to logon to any domain computers, then type in a bogus computer name.
Additionally, if you want to control who can and cannot logon to a grouping of computers, you should apply a group policy object at the OU level and modify the computer configuration of the policy. Go to the policies section, Windows settings, Security Settings, Local Polcies, User Rights Assignment. From there you can modify the "Allow Log on Locally" and/or "Deny Log On Locally" rights. - Thanks! This helped me with the issue where they could log on to the server, but I can't figure out how to.
Now my issue is that they can log via Remote Web Workplace to their computers. I can't apply a permission for them to not logon to that machine because they would need to logon locally, just not remotely.
I removed the "Remote Web Workplace" group, but since the user is an administrator it seems they can still logon. - Hi Repnescasb,
You can use the option "Deny this user permissions to log on the Remote Desktop Session Host Server" which is under the user account's Properties -> Terminal Service profile to restrict user remote logon.
Best Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights.- Marked As Answer byWilson JiaMSFT, ModeratorFriday, November 06, 2009 3:06 AM
- Thanks Wilson, that worked too!
On a side note, they can still technically log into the Remote Web interface, and thus can still see the computers. Granted they cannot log into them now but is there a way to block them from logging into the interface?
Would be nice if when they got to the screen at /Remote/Default.aspx it could completely block them from entering except for the users I permit. - Hi,
As you mentioned the Remote web Workspace, are you using a SBS Domain in your enviroment? If so, you can simply remove the users from the security group "Remote Web Workspace Users" to prevent them log into the Remote Web Workspace.
Note: When you create the user from SBS Wizard, it will add the user into "Remote Web Workspace Users" group automatically. If you create the user in Acitve Directory Computers and Users, it will add user into this group.
For your information:
http://blogs.technet.com/essentialbusinessserver/archive/2009/02/26/what-s-in-a-name-the-remote-web-workplace-users-group-in-ebs-2008.aspx
Hope it helps.
Best Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights.- Proposed As Answer byWilson JiaMSFT, ModeratorWednesday, November 04, 2009 7:38 AM
- Well that's what I was saying a few posts up. The users in question AREN'T in the Remote Web Workplace group, yet they're still allowed to login to the interface. But also, once there they can't do anything because of other restrictions.
This is SBS 2003 btw. - Hi Repnescasb,
You can not prevent admin user to access the Remote Web interface as they are administrators. You can only deny them logon their computer remotely which I mentioned in the above reply.
Best Regards,
Wilson Jia
This posting is provided "AS IS" with no warranties, and confers no rights.
