What does the Change User Role wizard do?

  • Article

[Today’s post comes to us courtesy Moloy Tandon.]

After you have migrated to SBS 2008 from SBS 2003 (or Windows 2003) you would notice that the AD users are not visible in the SBS console by default. This is because the users AD attribute msSBSCreationState is not stamped with the value of Created.

You will see the same behavior if you create the users manually in AD.

In order to make the users visible in the SBS console run the Change User Role for  wizard from the SBS Console -> Users and Groups -> Users tab

1

Note: We don’t recommend editing the AD attribute manually as the Change User Role wizard does much more than just simply stamping the correct AD attribute, such as setting quota limits, configuring Exchange related settings, etc. We strongly recommend using the SBS provided wizards to create/edit user accounts, as manually editing the AD attributes can give you unexpected results and may result in potential failure of the SBS Console/Wizard.

The Change User Role wizard modifies the following AD attribute for the users and makes them visible in Windows SBS Console.

msSBSRoleGuid – Based on the role chosen this AD attribute is stamped with the corresponding SBS role GUID (SBS 2008 offers three built-in user roles/templates - Network Administrator, Standard User and Standard User with administration links). Remember, the GUIDs for different roles is not a constant value and will differ across installations.

msSBSCreationState – This AD attribute is stamped with the value of Created

2 

When you launch the wizard you are presented with the following screen. Select the appropriate role you want to apply on the user. You are also presented with an option to choose between replace or add permissions/settings. Be aware that selecting replace will remove the existing settings and permissions on the user object. If you wish to keep your existing settings and permissions on the user object, choose Add user permissions or settings.

 3

On the second page of the wizard, make sure you check the "Display all user accounts in the Active Directory" checkbox to see the list of all available user accounts. The only exception to this is the built-in Administrator account. This is by design.

 4

Location of EXE and Log files:

C:\Program Files\Windows Small Business Server\Logs\ChangeUsersRole.log

C:\Program Files\Windows Small Business Server\Bin\ChangeUsersRole.exe