What’s in a Name? The Remote Web Workplace Users Group in EBS 2008

What’s in a Name? The Remote Web Workplace Users Group in EBS 2008

  • Comments 1
  • Likes

[Today’s post comes to us courtesy of Mark Stanfill]

EBS controls access to RWW through membership in the Remote Web Workplace Users group.  For most installations this should be a unique object.  For domains that have been migrated from SBS 2003, it is expected that there will be two groups with the same name, located in two different places in Active Directory.  The instructions to delete the SBS 2003 group are covered on page 15 of the Migrating from Windows Small Business Server 2003 to Windows Essential Business Server guide, but this seems to be a fairly common oversight.

clip_image002

This is a domain local security group located in the Users container in Active Directory (the SBS 2003 group is a universal security group).  Domain Users is a member by default.  You can also distinguish the two groups by the Description field.  The SBS 2003 Group has the value “Members of this group can access the Remote Web Workplace from the Internet.”, while the EBS 2008 group has a value of “Members in this group can access the Terminal Services Gateway and Remote Web Workplace”.   The pre-Windows 2000 group name for the SBS 2003 group is “Web Workplace Users”, where the EBS name is “Remote Web Workplace Users”.

clip_image004

For deployments that have migrated from SBS 2003, there will be two groups named “Remote Web Workplace Users”.  One group will be located in the MyBusiness\Security Groups OU, the other will be located in the Users container.  The Remote Web Workplace Users group located in the Users container is the one we want to keep.

clip_image005

Best Practice

Nothing will “break” if you keep both groups, but you will experience difficulty in distinguishing the groups by name when you go to add users to the group, set ACLs, or look at user group membership.  A typical troubleshooting scenario is “I’ve added my user to the group, but she still can’t log in to RWW/connect via VPN”.  You look at the user’s properties, and you really have to be paying attention to see which group is in use.

clip_image007

Best practice is to record the membership of the MyBusiness/Security Groups Remote Web Workplace Users group, delete that group, and then modify the membership of the Users container Remote Web Workplace Users group to add the accounts from the old group.

This table summarizes the differences between the two groups for reference:

 

Value/Attribute SBS 2003 EBS 2008
Name Remote Web Workplace Users Remote Web Workplace Users
Group type Universal security Domain local security
Pre-Windows 2000 Group Name Web Workplace Users Remote Web Workplace Users
Location MyBusiness\Security Groups OU Users container
Description Members of this group can access the Remote Web Workplace from the Internet.

Members in this group can access the Terminal Services Gateway and Remote Web Workplace

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment