gruntspeed
asked on
Outlok Web Access (OWA) exchange 2003 and Small Business Server 2003 implementation
We installed a small business server 2003 with exchange 2003. We set up web access so all users could access there mail out of the office. The problem we started to experience was users were able to access any computer on the network with there username and password. Under the server management, users in the account properties you can configur the "log on to" we configured this so that the users could only access there specific machines. After altering this users can no longer access the OWA over the internet. They can only access the OWA via the web browser on the machines listed in the log on to. Does anyone know of a work around for this or do we have to leave it that users can logon to any computer on our domain if they need to access e-mail outside of the office?
Try adding the server name to the Log On To list.
ASKER
I had realised that but I am looking for a work around. THis is simply not an option.
ASKER
adding the server name has been done but does not work and is a securty risk
It may take some time for AD to replicate the change - on the other hand, it may still not be sufficient, either. When you are running OWA (in fact any authenticated application), though, you are logging on to the server. I really hope that someone can up with a way around this for you, but I don't think there is one.
gruntspeed,
You should not have entered anything in the Log Onto field. Remove that and OWA will be fixed.
When you say that they could access any computer on the network with their username and password... are you referring to LOCAL login or REMOTE?
Because the design of an SBS network IS to allow them to log onto any workstation... but they do not have administrative priviliges on any workstation except the one they are assigned to. Therefore, can you explain why this is a problem?
Basically you've created many problems by incorrectly solving another one... if you don't want users logging on to other workstations, there is a way to accomplish that, but it's not with the log onto field.
Jeff
TechSoEasy
You should not have entered anything in the Log Onto field. Remove that and OWA will be fixed.
When you say that they could access any computer on the network with their username and password... are you referring to LOCAL login or REMOTE?
Because the design of an SBS network IS to allow them to log onto any workstation... but they do not have administrative priviliges on any workstation except the one they are assigned to. Therefore, can you explain why this is a problem?
Basically you've created many problems by incorrectly solving another one... if you don't want users logging on to other workstations, there is a way to accomplish that, but it's not with the log onto field.
Jeff
TechSoEasy
In our network, we use group policies to limit who can log onto what system. We also use OWA and have not seen a problem with unwarranted access. Group Policies is where you want logon limits applied. TechSoEasy is right in that you should remove entries into the "Log Onto" field.
I am not even sure that the Exchange server had anything to do with users ability to log onto any workstation... unless during installation, a policy was created that would allow this but I don't recall anything in the installation process other than the domain prep that would do this.
Hope that help a bit.
I am not even sure that the Exchange server had anything to do with users ability to log onto any workstation... unless during installation, a policy was created that would allow this but I don't recall anything in the installation process other than the domain prep that would do this.
Hope that help a bit.
ASKER
All I am looking for is a way to limit users ability to move from one computer to the next without limiting there access to OWA
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have spent some time now looking for a way to limit access using the group policies but am getting know where. How do I limit user access to a single computer on the network using the group policies on my domain server?
Well, here's the problem. When you run connectcomputer to join a system to the network part of that script adds the "Domain Users" to the local "users" group. This is done because usually an organization does NOT want to prohibit users from logging on to other machines... and this is the first time I've heard of wanting to do that.
It can't be corrected by Group Policy but it can be undone by creating a script... or manually opening the Computer Management Console for each machine (from the server) and changing the group membership.
I asked above, and would still ask why you are trying to do this... I have a feeling that you think this compromises the security of your systems in some way? If you could explain a bit more about the reasons for wanting to do this, I am sure that I can provide you with either the information you need to know that it won't be a problem, or at least an alternative method to achieve the same goal.
Jeff
TechSoEasy
It can't be corrected by Group Policy but it can be undone by creating a script... or manually opening the Computer Management Console for each machine (from the server) and changing the group membership.
I asked above, and would still ask why you are trying to do this... I have a feeling that you think this compromises the security of your systems in some way? If you could explain a bit more about the reasons for wanting to do this, I am sure that I can provide you with either the information you need to know that it won't be a problem, or at least an alternative method to achieve the same goal.
Jeff
TechSoEasy
ASKER
We currently have over 60 computers on our business network. OUr network spans over about 30 kms all together. Users will be on one side of the property and decide they need to check their mail and logon to a machine there. This doenloads there whole profile and also gives them access to files on that computer that they are not permitted to access. For example a user from Research accessing Finance files. The other reason being the downloading of files accross the point to point network is slowing doen our other network applications. THey are clogging up needed space on the server, and each user is issued a computer for there work. They now move because they like this office or computer better and we have no control over this. As you can imagine this is a nightmare to try and administer and backup.
G
G
A user logging onto another workstation should NOT have access to files on that machine. Because they only have "user" rights, not Administrator rights. Furthermore, you really would be better off if all files were stored centrally on the server, for backup purposes as well as management of user rights. This is generally handled with the Configure My Documents Folder Redirection Wizard. Files should not be stored on the computers local drives... and even if they were, a user who logs onto someone elses machine would not have access to those files.
If bandwidth is the problem, I think you would be better off inhibiting the use of Outlook for those who log onto a computer that they are not assigned to. Instead they would use Outlook Web Access. In my opinion, if a user is 30 km away from their own machine then it would not be the best policy (from a productivity standpoint) to not let them check email from whatever machine is closer to them.
If there is a lack of space on the server for centrally storing files, then you really should consider adding additional drives or even adding a Windows Storage Server to your network. None of this should be nightmarish to administer or backup... the Windows Operating Systems have tools to deal with these situations... it's just a matter of carefully planning and deploying these tools so that everyone benefits.
Since you've already closed out this question, please open a new one if you have further questions about your systems.
Jeff
TechSoEasy
If bandwidth is the problem, I think you would be better off inhibiting the use of Outlook for those who log onto a computer that they are not assigned to. Instead they would use Outlook Web Access. In my opinion, if a user is 30 km away from their own machine then it would not be the best policy (from a productivity standpoint) to not let them check email from whatever machine is closer to them.
If there is a lack of space on the server for centrally storing files, then you really should consider adding additional drives or even adding a Windows Storage Server to your network. None of this should be nightmarish to administer or backup... the Windows Operating Systems have tools to deal with these situations... it's just a matter of carefully planning and deploying these tools so that everyone benefits.
Since you've already closed out this question, please open a new one if you have further questions about your systems.
Jeff
TechSoEasy
You have to leave it that users can log on to our domain from any machine otherwise they will not be able to access it from other machines.
Thanks