SBS2003 Defining users who can use OWA but not Connect to their Computer at Work.

I have a standard installation of SBS2003 for a client. All users currently have the ability to access the Remote Web Workplace. However, I've been asked to only allow *some* to use the site to connect to their computer at work. I still want to allow everyone else to use Outlook Web Access. What's the best way to accomplish this?
Who is Participating?
Jeffrey Kane - TechSoEasyConnect With a Mentor Principal ConsultantCommented:
By default, the "User" template allows for RWW access to the user's desktop.  Rather than messing with this template, I would create a separate "security group" to add the users that you DON'T want to have access and then create a GPO which denies access to that group.  They can then use to directly access OWA and if they tried to use RWW they wouldn't succeed. (Although they would have the ability to access the companyweb from there which could be a good thing, generally.

If you like you can clone the "user" template and call it "restricted user" template... then add your new security group to the template's group membership so new users which fit this criteria will automatically be added.

The GP item which needs to be set is this:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Logon through Terminal Services

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.