Re: Remote web workplace
- From: "Cris Hanna [SBS-MVP]" <crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 21 May 2007 21:07:54 -0500
RWW uses TSWeb so yess it very much as to do with Terminal Services
You can be a member of RWW and still not be able to do it if under Default Domain Controller Security Policy, Logon via Terminal Services is defined and certain users/groups are left out or you can define logon denied via Terminal Services in the same area
They might be members of RWW but if they are denied in that area...won't happen
--
Cris Hanna [SBS-MVP]
------------------------------
Please do not contact me directly, only respond in the Newsgroups
MVPs do not work for Microsoft
------------------------------
Send via Windows Mail on Vista Ultimate connected to SBS 2003 R2
"Doug Taylor" <dtaylor@xxxxxxxxxx> wrote in message news:eZcqSd%23mHHA.1240@xxxxxxxxxxxxxxxxxxxxxxx
Ok
So in short.
1. There are not any group policy settings that can be changed to allow or deny users acces to RWW. eg in Terminal services u can allow or deny users in the group policy or by group membership.
2. VPN rights have nothing to do with RWW
3. Terminal Services rights have nothing to do with RWW
4. To use RWW u must be a member of the RWW group.
5. One connected thru RWW, TS rights will limit yr access to different machines (these rights can be set up in Group policy).
6. The only place where we can control which users can use RWW is in the membership of the RWW group.
Grey area now????
7. A user with admin rights automatically has RWW rights and these rights cannot be removed (if I check the membership of the RWW group the administrator is not listed but RWW can still be used)
OR
8. Remove the admin template from the RWW group before giving a user admin rights; This user will then not have RWW rights.
.....
We do want to use RWW for some users so disabling RWW for all users is not an option.
Once again....Thanks
"Cris Hanna [SBS-MVP]" <crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:%230BuJV7mHHA.4412@xxxxxxxxxxxxxxxxxxxxxxxAgree with Henry, changing the Admin Template has no effect on current users
I'd like to be clear on terminology so we make sure we are talking about the same thing
When I say Administrator....this is typically, in the small business setting, the person who has over all responsibility for setting up and maintaining the network and all related access (i.e. new user accounts, security on folders, new shares, printers, etc.) The nature of the job requires unfettered access to all resources.
In some businesses, this is a company employee; in some this role is contracted out. In either circumstance, the individual holding that role, pretty much requires complete access. If this is a contracted individual, then remote access will certainly be essential.
In the companies I administer and support, I have unrestricted access to every thing, two of the companies use quick books. I have unrestricted access to the Quickbooks share, but I DO NOT have an account in the Quickbooks application. So even if I hijack the file...its of little use
But I also have a written agreement with my customers, which holds me financially and legally responsible for the unauthorized disclosure of any and all company confidential information to which I may access to in the course of performing my duties.
As Henry suggested, if you have Office personnel who have a need to perform "elevated" tasks from time to time, a second user account for those folks should be created with those priviledges.
You should check the membership of the Remote Web Security Group and modify if necessary
You may also have to modify the "Default Domain Security Policy" (think I got that right) and look at the permission to "logon via terminal services"
--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues
"Doug Taylor" <dtaylor@xxxxxxxxxx> wrote in message news:uwLXmFmmHHA.4032@xxxxxxxxxxxxxxxxxxxxxxxThanks for your reply.
Its not a question of trusting the admin we just dont wont administrators connecting to our network remotely.
We have a local domain administrator that has all the rights blah blah and has a weeker password. We then have a remote admin user that is also a domain admin has a stronger password and is able to connect over remote web workplace. Infact they are the same person. We however at times need to get the the office manager to carry out certian tasks when we are unable to attend site. We give them the local admin user details. They dont have the skills (and would not want) to reconfigure the server to give themselves remote access and we trust them in this matter. However if these details fall into the wrong hands we would like to restrict access to RWW from this user (the local amin) so that they cant access the network externally through RWW.
This is not a matter of semantics but a question of how is it achieved . To test things we have removed the admininstrator template(the only reference to the administrator was the administrator template under the member tag) from the RWW group but the adminiustrator is still able to connect using RWW.
1. Perhaps now the template has been removed we need recreate the local admin users to remove his rights etc. ... worth a try.
2. Under group policy u can achieve things like restricting logon locally, access computer from the network etc but I have not found any setting related to RWW.
3. Do we have any control over which users can utilise RWW eg through GPolicy settings (have not seen any ).
Rather than the reasoning behind the question does any one know how to achieve the task at hand.
Once again thanks in advance
Cheers
Douglas
"Cris Hanna [SBS-MVP]" <crisnospamhanna@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:OWp$$CLmHHA.4772@xxxxxxxxxxxxxxxxxxxxxxxSure its possible to remove them from the group..
Whats to stop him from putting himself back? He is after all the admin
If you don't trust the Administrator of your network enough that you feel you have to start revoking priviledges (that obviously he can restore)
Its time to get a new admin
--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues
"Doug Taylor" <dtaylor@xxxxxxxxxx> wrote in message news:%23wKGzTHmHHA.3484@xxxxxxxxxxxxxxxxxxxxxxxHiya
We are running sbs2003 r2. Is there any way to deny the administrator the ability to connect through remote web workplace. There dont seem to be any settings in the group policy for enabling or disabling users. I want the admin to be able to rdp into the server when connected to the local lan but not remotely from the internet. Is it possible to remove the administrator form the remote web workplace users group etc.
Thanks
in advance
Douglas
.
- References:
- Remote web workplace
- From: Doug Taylor
- Re: Remote web workplace
- From: Cris Hanna [SBS-MVP]
- Re: Remote web workplace
- From: Doug Taylor
- Re: Remote web workplace
- From: Cris Hanna [SBS-MVP]
- Re: Remote web workplace
- From: Doug Taylor
- Remote web workplace
- Prev by Date: Re: Remote web workplace
- Next by Date: Re: Remote web workplace
- Previous by thread: Re: Remote web workplace
- Next by thread: Re: Remote web workplace
- Index(es):
Relevant Pages
|
Loading
