Link to home
Start Free TrialLog in
Avatar of MSJoe
MSJoe

asked on

Filtering computer list in remote web workplace

I found a blog posted that states it maybe possible to filter the list of computers in RWW. I read the article but I am afraid I fully grasp what they are referring to. The selection of text that I am referring to is quoted below.

"In order for workstation RDP links to be exposed, there must be at least one XP workstation running with Remote Desktop Administration enabled. And only those machines with RDA enabled will show up in the list of client machines that can be connected to from RWW. In order for the application-sharing servers link to be exposed, the following criteria must be met:"

It almost seems like there is separate security that is monitoring and handling the management of RDP links? MOM? SMS?


 http://blogs.technet.com/sbs/archive/2006/11/03/remote-web-workplace-rww-part-ii-controlling-portal-access.aspx
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image

No, there's no special security monitoring the management of RDP links at all.  

That entire section is about how various links appear on the RWW main menu.  So what it's saying is that if you have NO XP workstations with RDA enabled, then the "Connect to my computer at Work"/"Connect to Client Desktops" link won't even appear on the main menu.

But perhaps you can explain what you are wanting to do?  Because you mention "filtering" but you don't say why or what you are trying to achieve.

Jeff
TechSoEasy
Avatar of MSJoe
MSJoe

ASKER

Sorry about that. This question is really about how to filter the computers that show up in "Connect to computer" in RWW. My goal is to remove computers from the list, or filter the list of computers that a user can see per group membership. The last item is a bit ridiculous and it isn't going to happen but that would be ideal. I know that the RWW app is built to add anything that is a server or a workstation when joined to the domain so anything I mention that I would like to do might not be possible. I thought I struck gold at first with that passage I quoted.

The easiest way to what I want to do, short of actually removing computers from the list as I mentioned would to deny logon or implicitly allow logon through terminal services on a per user basis to their computer.
Well, first of all, a user cannot log onto a machine that they have not been
assigned to when you joined the computer to the domain with ConnectComputer.
This is because that process adds only the assigned user to the LOCAL
administrators group of that machine, and therefore only that user and domain
admins can log into the workstation remotely via RWW.

There was supposed to be a way to have the user's assinged computer be the
default for them when they access "Connect to my Computer at Work" .

If you look at the first part of that article on RWW (http://sbsurl.com/rww)
you'll see that it says this about that:

          This link opens the Computer Selection page that is populated with a
          list of all client computers on the network that are running Windows
          XP or above. If there is a user-to-computer mapping
          (%systemroot%\Inetpub\ClientSetup\usermap.txt) available, the known
          user's computer will be selected by default from the list. Otherwise
          the user will have to manually select his/her workstation from the
          list of available computers.

       
The usermap.txt file is generated when you run the Add User Wizard and allow it
to also add a computer for that user.

Unfortunately, this feature has never worked.  In fact there is no
ClientSetup directory in Inetpub.  Although the usermap.txt file DOES get
created in the Inetpub\ConnectComputer directory and would be referenced when using
ConnectComputer to automatically populate the Username when assigning users to
particular workstations on the screen shown here:  http://sbsurl.com/assign

So, users should already be prohibited from logging into machines which they
haven't been assigned to unless you've manually added all users to either the
LOCAL Administrators or Remote Desktop Users groups.

Jeff
TechSoEasy
Avatar of MSJoe

ASKER

That’s great to know as I knew the assign user to computer makes the user a local admin but I did not know using that process would it only allow that user to connect to their assigned computer. I guess my next questions would be about that usermap.txt. If I have a bunch of computers already installed on the network can I just edit that text file and add the mappings in manually to avoid rejoining computers?
The usermap.txt file doesn't really do much other than pre-populate the "assign to" screen.

But if you're saying that the workstations weren't originally joined to the domain using ConnectComputer, then you need to rejoin them if you want to be able to take advantage of SBS's many features.  To do this, follow the steps I've outlined here:  http://sbsurl.com/rejoin

Jeff
TechSoEasy
Avatar of MSJoe

ASKER

I understand. It would be great if the "Connect to computer" would just connect to the default computer rather than displaying the list but I suppose it doesn't matter. You mentioned "There was supposed to be a way to have the user's assigned computer be the
Default for them when they access "Connect to my Computer at Work" .". After reading the corresponding text associated is there a reason behind that it doesn't work? I guess if SBS.com says it is, maybe there is a reason why it doesn't. Maybe it has to be setup correct right from the start or all the user to computer mappings have to be accounted for or else a list of computers is displayed?
ASKER CERTIFIED SOLUTION
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial