[Today’s post comes to us courtesy of Mark Stanfill]
EBS controls access to RWW through membership in the Remote Web Workplace Users group. For most installations this should be a unique object. For domains that have been migrated from SBS 2003, it is expected that there will be two groups with the same name, located in two different places in Active Directory. The instructions to delete the SBS 2003 group are covered on page 15 of the Migrating from Windows Small Business Server 2003 to Windows Essential Business Server guide, but this seems to be a fairly common oversight.
This is a domain local security group located in the Users container in Active Directory (the SBS 2003 group is a universal security group). Domain Users is a member by default. You can also distinguish the two groups by the Description field. The SBS 2003 Group has the value “Members of this group can access the Remote Web Workplace from the Internet.”, while the EBS 2008 group has a value of “Members in this group can access the Terminal Services Gateway and Remote Web Workplace”. The pre-Windows 2000 group name for the SBS 2003 group is “Web Workplace Users”, where the EBS name is “Remote Web Workplace Users”.
For deployments that have migrated from SBS 2003, there will be two groups named “Remote Web Workplace Users”. One group will be located in the MyBusiness\Security Groups OU, the other will be located in the Users container. The Remote Web Workplace Users group located in the Users container is the one we want to keep.
Nothing will “break” if you keep both groups, but you will experience difficulty in distinguishing the groups by name when you go to add users to the group, set ACLs, or look at user group membership. A typical troubleshooting scenario is “I’ve added my user to the group, but she still can’t log in to RWW/connect via VPN”. You look at the user’s properties, and you really have to be paying attention to see which group is in use.
Best practice is to record the membership of the MyBusiness/Security Groups Remote Web Workplace Users group, delete that group, and then modify the membership of the Users container Remote Web Workplace Users group to add the accounts from the old group.
This table summarizes the differences between the two groups for reference:
Members in this group can access the Terminal Services Gateway and Remote Web Workplace