Solved

Filtering computer list in remote web workplace

Posted on 2007-11-13
7
6,055 Views
Last Modified: 2012-05-05
I found a blog posted that states it maybe possible to filter the list of computers in RWW. I read the article but I am afraid I fully grasp what they are referring to. The selection of text that I am referring to is quoted below.

"In order for workstation RDP links to be exposed, there must be at least one XP workstation running with Remote Desktop Administration enabled. And only those machines with RDA enabled will show up in the list of client machines that can be connected to from RWW. In order for the application-sharing servers link to be exposed, the following criteria must be met:"

It almost seems like there is separate security that is monitoring and handling the management of RDP links? MOM? SMS?


 http://blogs.technet.com/sbs/archive/2006/11/03/remote-web-workplace-rww-part-ii-controlling-portal-access.aspx
0
Comment
Question by:MSJoe
  • 4
  • 3
7 Comments
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20277775
No, there's no special security monitoring the management of RDP links at all.  

That entire section is about how various links appear on the RWW main menu.  So what it's saying is that if you have NO XP workstations with RDA enabled, then the "Connect to my computer at Work"/"Connect to Client Desktops" link won't even appear on the main menu.

But perhaps you can explain what you are wanting to do?  Because you mention "filtering" but you don't say why or what you are trying to achieve.

Jeff
TechSoEasy
0
 

Author Comment

by:MSJoe
ID: 20279780
Sorry about that. This question is really about how to filter the computers that show up in "Connect to computer" in RWW. My goal is to remove computers from the list, or filter the list of computers that a user can see per group membership. The last item is a bit ridiculous and it isn't going to happen but that would be ideal. I know that the RWW app is built to add anything that is a server or a workstation when joined to the domain so anything I mention that I would like to do might not be possible. I thought I struck gold at first with that passage I quoted.

The easiest way to what I want to do, short of actually removing computers from the list as I mentioned would to deny logon or implicitly allow logon through terminal services on a per user basis to their computer.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20285992
Well, first of all, a user cannot log onto a machine that they have not been
assigned to when you joined the computer to the domain with ConnectComputer.
This is because that process adds only the assigned user to the LOCAL
administrators group of that machine, and therefore only that user and domain
admins can log into the workstation remotely via RWW.

There was supposed to be a way to have the user's assinged computer be the
default for them when they access "Connect to my Computer at Work" .

If you look at the first part of that article on RWW (http://sbsurl.com/rww)
you'll see that it says this about that:

          This link opens the Computer Selection page that is populated with a
          list of all client computers on the network that are running Windows
          XP or above. If there is a user-to-computer mapping
          (%systemroot%\Inetpub\ClientSetup\usermap.txt) available, the known
          user's computer will be selected by default from the list. Otherwise
          the user will have to manually select his/her workstation from the
          list of available computers.

       
The usermap.txt file is generated when you run the Add User Wizard and allow it
to also add a computer for that user.

Unfortunately, this feature has never worked.  In fact there is no
ClientSetup directory in Inetpub.  Although the usermap.txt file DOES get
created in the Inetpub\ConnectComputer directory and would be referenced when using
ConnectComputer to automatically populate the Username when assigning users to
particular workstations on the screen shown here:  http://sbsurl.com/assign

So, users should already be prohibited from logging into machines which they
haven't been assigned to unless you've manually added all users to either the
LOCAL Administrators or Remote Desktop Users groups.

Jeff
TechSoEasy
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:MSJoe
ID: 20288735
That’s great to know as I knew the assign user to computer makes the user a local admin but I did not know using that process would it only allow that user to connect to their assigned computer. I guess my next questions would be about that usermap.txt. If I have a bunch of computers already installed on the network can I just edit that text file and add the mappings in manually to avoid rejoining computers?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 20289076
The usermap.txt file doesn't really do much other than pre-populate the "assign to" screen.

But if you're saying that the workstations weren't originally joined to the domain using ConnectComputer, then you need to rejoin them if you want to be able to take advantage of SBS's many features.  To do this, follow the steps I've outlined here:  http://sbsurl.com/rejoin

Jeff
TechSoEasy
0
 

Author Comment

by:MSJoe
ID: 20290233
I understand. It would be great if the "Connect to computer" would just connect to the default computer rather than displaying the list but I suppose it doesn't matter. You mentioned "There was supposed to be a way to have the user's assigned computer be the
Default for them when they access "Connect to my Computer at Work" .". After reading the corresponding text associated is there a reason behind that it doesn't work? I guess if SBS.com says it is, maybe there is a reason why it doesn't. Maybe it has to be setup correct right from the start or all the user to computer mappings have to be accounted for or else a list of computers is displayed?
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 500 total points
ID: 20295741
No, it doesn't have anything to do with a correct setup right from the start.  It was originally designed to work that way but apparently someone didn't code the wizard right and they never went back to fix it.  The quote in the SBS Blog came from this document a document you can review by downloading it from: https://filedb.experts-exchange.com/incoming/ee-stuff/83-SBS2003TechnicalReferenceTraining.pdf

If you are really interested in knowing how the wizards are constructed, go right to page 61 of that paper.

"is there a reason behind that it doesn't work? "

I already tried to explain this to you above... the wizard was supposed to create the file in another directory, but it doesn't, and even if you manually put it there, the RWW's web.config file doesn't look for it.  So, I think it was just part of an original design that got dropped... perhaps because it didn't really work all that well, and since it doesn't save you much time during the ConnectComputer process... it would only have been a "pre-populated" field with the user's name it wouldn't have made the process any shorter.

Jeff
TechSoEasy
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now