Re: Remote access to member server

I do not want him using an existing account, there is no reason he should
pretend to be me, Mary from accounts or Sam the secretary. If he wishes to
access the system he gets an account he is responsible for the actions of.

As a standardly defined user he should see any problem my other standard
users encounter, hence my wish that he does not have any form of elevated
privelege.

Another aspect of 'elevated privelege' is that I _don't_ want him installing
KB3c4a678ds, which I have 'declined' in WSUS because it breaks my 'other'
LOB application. If he needs it he talks to me, and we attempt to resolve
the conflict or find an alternate resolution.

The 'member server' is, according to the original post, also TS Apps mode.
Any action by this external party _may_ take my _many_ users offline. If he
can't deal with it I will return his employer's software as 'unfit for
purpose' and find an alternate method.

"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:eWzvlLu3HHA.1900@xxxxxxxxxxxxxxxxxxxxxxx
SuperGumby [SBS MVP] wrote:
Well, now that you raise the issue, I see no reason why the contractor
should be anything but a 'normal' user, subject him to the same
restrictions as your standard users. Like many things SBS such a
ruling (whether he is performing admin only) would be a legal
distinction the system doesn't know about and cannot track, _you_
define whether he is 'performing admin only'.

I've been watching and waiting for justification for even creating a
domain user account. So far, unless I missed it, I haven't seen it. Not
much detail about what the vendor needs to do on this 'member server' or
just what the application or purpose, but a local user account, member of
local administrators, and remote desktop group should handle what I've
digested so far. Just a thought a wee bit outside the box.


If forced to I'd make him a normal user but local admin on the TS.
I'd be reluctant to though, means some things may work for him but
not my normal users, same as them, if he wants something 'system
wide' done, I do it for him.

If the account requires wider admin privelages I would probably NOT
create the account using the wiz, I would do a manual domain user
creation and elevated membership. (same as I do for my 'backdoor'
account, an account having more complex than normal user/pass and
Domain Admin rights. The user/pass are not recorded by me, they are
put into an envelope (preferably 2) in a safe place in case the
client wants to lock me out.)
"Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote in
message news:e3TmcAt3HHA.600@xxxxxxxxxxxxxxxxxxxxxxx
can a specific account be set up for that use? I believe the latter.

Hi Super:

Where is the "setup specific account for that use" Wizard?

I think I was asleep during that portion of class.

:-)

Larry


"Larry Struckmeyer" <lstruckmeyer(at)mis-wizards(dot)com> wrote in
message news:%23JtDTqq3HHA.600@xxxxxxxxxxxxxxxxxxxxxxx
Hi:

Did not read the thread that Merv posted, so this may have been
covered. First, seems to me that once the LOB person is connected to
anything on your LAN, you have exposed your entire network to him.
Browse Network Neighborhood???

Second, he will need access, so either he is a 'user' or he is an
administrator. If he poses as one of the existing users, you
won't need a license for him, but you will want to change password
after he is done?

Third: have not tried this with SBS2003 as the front end, but for
years we VPN'd to the SBS 2000 servers, then RDP to the ip of our
choice, either the ip of the SBS or the IP of the TS. You might
could keep the LOB guy from logon to any system but the TS with
policies for that user? Larry


"Merv Porter [SBS-MVP]" <mwport@xxxxxxxxxxxxxxxxxxx> wrote in
message news:Oc5xfcq3HHA.5740@xxxxxxxxxxxxxxxxxxxxxxx
Take a look at this thread Al...

SBS 2003 and ISA 2004, publish TS Server
http://groups.google.com/group/microsoft.public.windows.server.sbs/browse_thread/thread/f6e4d5e6ad382c4f/6d6db9c2395c8fc8?lnk=st&q=rww+isa+2004+terminal+server&rnum=1&hl=en#6d6db9c2395c8fc8

--
Merv Porter [SBS-MVP]
============================

"Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx> wrote in message
news:uYTsJJq3HHA.5984@xxxxxxxxxxxxxxxxxxxxxxx
What about outside of RWW - does anything exist to just goto the
remote login for that server?

The member server is a terminal server, so I suppose I should be
able to set it up for remote users to login to directly but I'm
not sure how (currently it is for internal LAN use only).

Thx

--
Allan Williams



"Merv Porter [SBS-MVP]" <mwport@xxxxxxxxxxxxxxxxxxx> wrote in
message news:OLhuCdp3HHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
Hi Al,

Unfortunately, per user restrictions can't be done within RWW. Now,
if you want to always restrict access for that user (both
when on the LAN and when using RWW), you can use:

Server Management | Standard Management | Users | (rt click)
the user account | Properties | Account (tab) | Log On To... |
The Following Computers...

Then add the target member server to the list AND also add the
SBS server. You need the SBS server specified so that the user
can authenticate to the server when logging into RWW (however,
he will not be able to log onto the SBS server itself).

The user will "see" all workstations (and the member server) in
the RWW list of computers, but will only be able to log onto
the member server itself.

--
Merv Porter [SBS-MVP]
============================

"Al Williams" <donotreplydirect@xxxxxxxxxxxxxxxx> wrote in
message news:e5htnBo3HHA.4476@xxxxxxxxxxxxxxxxxxxxxxx
We have a contractor who needs remote access to a Windows 2003
member server in our SBS 2003 Premium network to do some
short-term maintenance on a LOB application we run on it. I
know I can get him remote access via the remote web workplace
(access server desktops) but is there anyway to just give him
access to just the member server directly without using RWW? I
don't really want to expose the RWW interface to our entire
system to them if I don't have to. Thanks.

--
Allan Williams

--
/kj



.

Relevant Pages

  • RE: Getting alot of these emails
    ... Thank you for posting in the SBS newsgroup. ... this issue can occur if your SBS 2003 server is ... Disable the Guest account in your SBS 2003 server and enable Stronger ... Microsoft is providing this information as a convenience to you. ...
    (microsoft.public.windows.server.sbs)
  • RE: Help .. Small Business Server Error may be DNS ?
    ... Thank you for posting in SBS newsgroup. ... issue can occur when you restart the SBS 2003 server. ... resource from the network with a bad password or an account that was locked ...
    (microsoft.public.windows.server.sbs)
  • Re: connect computer setup fails
    ... The administrator account you use to login - this is an account with ... Les Connor [SBS MVP] ... > willswing01 is the SBS server. ...
    (microsoft.public.windows.server.sbs)
  • Re: SMB2K3 Prem: Setup with Dynamic DNS Service TZO
    ... SBS 2003 DDNS and Email Setup Procedure... ... DDNS account so that you can always have access to your server, ... The preferred network setup is 2 NICs in the SBS server plus a router. ...
    (microsoft.public.windows.server.sbs)
  • Re: Client Network settings
    ... change of the domain machine account password. ... the other option would be to create 3 VPC ws images. ... or one complete SBS install and then copy that hard drive? ... I connect to the SBS server? ...
    (microsoft.public.windows.server.sbs)