Outlok Web Access (OWA) exchange 2003 and Small Business Server 2003 implementation

We installed a small business server 2003 with exchange 2003. We set up web access so all users could access there mail out of the office. The problem we started to experience was users were able to access any computer on the network with there username and password. Under the server management, users in the account properties you can configur the "log on to" we configured this so that the users could only access there specific machines. After altering this users can no longer access the OWA over the internet. They can only access the OWA via the web browser on the machines listed in the log on to. Does anyone know of a work around for this or do we have to leave it that users can logon to any computer on our domain if they need to access e-mail outside of the office?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


You have to leave it that users can log on to our domain from any machine otherwise they will not be able to access it from other machines.

Try adding the server name to the Log On To list.
gruntspeedAuthor Commented:
I had realised that but I am looking for a work around. THis is simply not an option.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

gruntspeedAuthor Commented:
adding the server name has been done but does not work and is a securty risk
It may take some time for AD to replicate the change - on the other hand, it may still not be sufficient, either.  When you are running OWA (in fact any authenticated application), though, you are logging on to the server.  I really hope that someone can up with a way around this for you, but I don't think there is one.
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:

You should not have entered anything in the Log Onto field.  Remove that and OWA will be fixed.

When you say that they could access any computer on the network with their username and password... are you referring to LOCAL login or REMOTE?

Because the design of an SBS network IS to allow them to log onto any workstation... but they do not have administrative priviliges on any workstation except the one they are assigned to.  Therefore, can you explain why this is a problem?

Basically you've created many problems by incorrectly solving another one... if you don't want users logging on to other workstations, there is a way to accomplish that, but it's not with the log onto field.

In our network, we use group policies to limit who can log onto what system. We also use OWA and have not seen a problem with unwarranted access. Group Policies is where you want logon limits applied. TechSoEasy is right in that you should remove entries into the "Log Onto" field.

I am not even sure that the Exchange server had anything to do with users ability to log onto any workstation... unless during installation, a policy was created that would allow this but I don't recall anything in the installation process other than the domain prep that would do this.

Hope that help a bit.
gruntspeedAuthor Commented:
All I am looking for is a way to limit users ability to move from one computer to the next without limiting there access to OWA
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You CAN limit the users ability from moving from one computer to the next by removing the "Domain Users" from the local Users group of the workstations.  Then only the individual user account will remain in the Local Administrators group.  This will essentially deny logon rights to any other user.

But don't use an actual "DENY" setting because that would override everything else and lock out even the assigned user.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gruntspeedAuthor Commented:
I have spent some time now looking for a way to limit access using the group policies but am getting know where. How do I limit user access to a single computer on the network using the group policies on my domain server?
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, here's the problem.  When you run connectcomputer to join a system to the network part of that script adds the "Domain Users" to the local "users" group.  This is done because usually an organization does NOT want to prohibit users from logging on to other machines... and this is the first time I've heard of wanting to do that.  

It can't be corrected by Group Policy but it can be undone by creating a script... or manually opening the Computer Management Console for each machine (from the server) and changing the group membership.

I asked above, and would still ask why you are trying to do this... I have a feeling that you think this compromises the security of your systems in some way?  If you could explain a bit more about the reasons for wanting to do this, I am sure that I can provide you with either the information you need to know that it won't be a problem, or at least an alternative method to achieve the same goal.

gruntspeedAuthor Commented:
We currently have over 60 computers on our business network. OUr network spans over about 30 kms all together. Users will be on one side of the property and decide they need to check their mail and logon to a machine there. This doenloads there whole profile and also gives them access to files on that computer that they are not permitted to access. For example a user from Research accessing Finance files. The other reason being the downloading of files accross the point to point network is slowing doen our other network applications. THey are clogging up needed space on the server, and each user is issued a computer for there work. They now move because they like this office or computer better and we have no control over this. As you can imagine this is a nightmare to try and administer and backup.

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
A user logging onto another workstation should NOT have access to files on that machine.  Because they only have "user" rights, not Administrator rights.  Furthermore, you really would be better off if all files were stored centrally on the server, for backup purposes as well as management of user rights.  This is generally handled with the Configure My Documents Folder Redirection Wizard.  Files should not be stored on the computers local drives... and even if they were, a user who logs onto someone elses machine would not have access to those files.

If bandwidth is the problem, I think you would be better off inhibiting the use of Outlook for those who log onto a computer that they are not assigned to.  Instead they would use Outlook Web Access.  In my opinion, if a user is 30 km away from their own machine then it would not be the best policy (from a productivity standpoint) to not let them check email from whatever machine is closer to them.

If there is a lack of space on the server for centrally storing files, then you really should consider adding additional drives or even adding a Windows Storage Server to your network.  None of this should be nightmarish to administer or backup... the Windows Operating Systems have tools to deal with these situations... it's just a matter of carefully planning and deploying these tools so that everyone benefits.

Since you've already closed out this question, please open a new one if you have further questions about your systems.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.