Managing Users in SBS 2003

As with almost every other aspect of managing technologies on the SBS server, there are two ways to create and manage user objects: with the wizards or without the wizards. Although it may seem obvious to the reader who has come this far through the book that the expected response here is to use the wizards to create and manage users, there are still some administrators who come from an enterprise background who still want to create and manage users by hand. Even if they have adopted the wizard mantra for other aspects of managing an SBS server, something as simple as managing users can be just as easily done by hand, right? Not exactly.

Even though SBS has wizards to deal with most aspects of managing user objects after they have been created, some tasks still can only be performed using the traditional server management tools. However, just because some tasks must be performed outside the wizards does not mean that the whole process of user management should be done without the wizards. As is the general rule for everything else in the SBS world, start with the wizards and then move on.

All the user-related tasks can be found in the Users node of the Server Management Console. This includes the wizards as well as shortcuts to the non-wizard tools.

Administrator and Power User Access

SBS administrators are not the only accounts that can manage users and computers on the SBS network. Users created with the Power User template can also manage aspects of the server environment, including a subset of user management functions. For power users to access the Server Management Console, however, they have to log on to the server directly. The default security settings for SBS 2003 do not permit power users to log on directly at the console, so the user would have to make a remote connection to the server to access the management tools. The Remote Web Workplace (RWW) interface will not allow a power user to remotely connect to the server, so the power user wanting to manage the server will have to use Remote Desktop to get to the server console.

Because power users are not full administrators, they do not have access to the entire suite of management wizards that administrators do. Table 16.1 lists the differences in user management tools between administrators and power users.

Additionally, the Server Management Console interface has a different look to it for power users than full administrators. Figure 16.1 shows the default layout for the Power User Server Management Console.

Figure 16.1. The Power User Server Management Console has fewer options available than the full Server Management Console.

Adding Users

If you are new to SBS but have read through the other chapters in this book, you should have a good understanding of all the technologies that have custom configurations applied to work correctly in the SBS environment. On the surface, it may seem that a task as simple as adding a user might not really benefit from being done through a wizard. However, the rest of this chapter looks into all the different options that are set for user objects when the wizards are run. There are times, however, when a user object is needed on the server that falls outside the scope of what the wizards can do, so the chapter provides some insight into that situation as well.

Using the Add User Wizard

The interface for the Add User Wizard is the same for administrators and power users. There are a couple of minor differences in some of the wizard pages, however, based on the limitations of what the power user can do.

Here are the steps to completing the Add User Wizard:

The summary page gives you a glimpse into the many tasks that the Add User Wizard performs. It creates the user object, creates a home directory for the user, creates a mailbox in Exchange for the user, adds the user to the appropriate security groups (based on the template selected during the wizard), adds the user to the default distribution group for Exchange, adds the user to the Companyweb setup with the permissions determined by the template, and assigns a disk quota for the user. If a new computer object was requested during the wizard, the wizard creates the computer object, assigns several applications to the computer, and configures settings for multiple applications on the workstation.

Note

To really understand what goes on with the Add User Wizard, you can use the FileMon and RegMon tools from SysInternals (http://www.sysinternals.com) and monitor the server while the wizard does its magic. Be warned, however, that you will need to export the data into a spreadsheet and have ample time to sort through just the entries that the addusr.exe tool adds to the logs from both programs.

When the Add User Wizard completes, the newly created user appears in the users list in the Server Management Console. Many administrators who are new to SBS will not find these users immediately when looking for them in Active Directory Users and Computers. This is because the Add User Wizard places the user objects into the MyBusiness, Users, SBSUsers Organizational Unit (OU) instead of the Users container that most non-SBS administrators are familiar with. This is done primarily to be able to make use of Group Policy, and even though SBS does not have group policy objects predefined at that level, the structure is created to allow for customization through group policy later, if needed.

Using Active Directory Users and Computers

UserDirectory Users and Computers (ADUC) Management Console, but any users created in this manner should not be typical network users. Instead, if you choose to create users in the ADUC Console, you should only create specialized users, such as backup administrator accounts and so on.

Changing User Permissions

The Change User Permissions Wizard restores default settings to a user object by reapplying one of the SBS user templates to the object. The wizard can be used to create a user mailbox in Exchange, create a home folder, restore security and distribution group memberships, reset SharePoint access, and reset disk quotas.

Only network administrators can run the Change User Permissions Wizard because the wizard allows the operator to add Power User and Administrator templates to an existing user, and that could give an existing Power User object the ability to elevate his own permissions on the network. Rather than build a separate wizard that allows only a power user to reapply the User or Mobile User template to an existing user object, Microsoft chose to simply not make this wizard available to Power User accounts.

Note

When a power user selects a user object in the Server Management Console, a link named Change User Permissions does appear. However, when the link is clicked, the user object's properties page is displayed, not the Change User Permissions Wizard.

The second page of the Change User Permissions Wizard, shown in Figure 16.2, allows the operator to select which template to apply. Another significant selection must be made here, also.

Figure 16.2. Any user template can be applied to an existing user object.

Two radio buttons appear beneath the list of templates. You can select whether to replace the existing permissions granted to the user, or you can add the permissions defined by the template to the user, keeping any permissions that do not otherwise conflict with the template attached to the user object. The default setting in the wizard is to replace all the permissions for the user with the permissions from the template. This selection makes sense if a user received elevated permissions or the user permissions became corrupt and needed to be reset to defaults.

Alternatively, you can choose to have the settings in the template added to the existing settings for the user object. You might select this option if you had added a user, based on the User template, to some custom security groups, and then decided to apply the Mobile User settings to the user object. If you chose to replace the user settings with the template settings, the user would be removed from the custom security groups. If, however, you had several users that needed some custom settings configured, you could look at creating your own user template that contains all the settings you need for a group of users on the network.

Understanding User Templates

A user template is simply a collection of permissions and other settings that can be applied to a user or group of users quickly, instead of having to apply each permission or setting change manually to each user. Each user template is actually stored as a disabled user object in Active Directory in the same OU as the regular user accounts. To see most of the settings stored in the template, you can open the template object in ADUC, as shown in Figure 16.3.

Creating and Modifying User Templates

Your best bet to understanding how user templates work is to go through the Add Template Wizard. This wizard is accessed from inside the Change User Permissions Wizard by clicking the Add Template button, shown previously in Figure 16.2. Or, you can run the addtmpl.exe program file from C:\Program Files\Microsoft Windows Small Business Server\Administration folder.

In the second page of the wizard, you specify a name and description for the template. You can also configure the template to be the default template used by the Add User Wizard, and you can select whether the template is visible to power users running the Add User Wizard.

In the next page of the wizard, you can select which of the existing domain security groups will apply to the template. Only existing groups are displayed in the wizard window. If you need to add security groups, you will need to do so in the ADUC Management Console. See the section "Working with Security and Distribution Groups" later in the chapter for more information on adding new security groups.

Caution

Be warned that you can add administrator-level security groups to the template, even if you allow power users to use the template. It might seem that if you add the Domain Admins group to the template, for example, and allow power users to create users with this template, a power user could create a new user with Domain Admin rights, log in to the domain with those rights, and have full control over the network. However, when a power user attempts to create a user with administrator-equivalent groups in the template, the Add User Wizard halts when trying to apply those permissions, and the power user is warned that she cannot fully configure the account and is given the option to keep or remove the user account.

The next page of the wizard allows you to select which Exchange distribution groups will apply to the template. You should include the default domain distribution group to the template to make sure that any user accounts created with the template receive email sent to the company distribution list. For more information on working with distribution groups, see "Working with Security and Distribution Groups" later in the chapter.

The SharePoint Access page of the wizard allows you to select the default access the template will have to the SharePoint sites on the server. You can select from Reader, Contributor, Web Designer, or Administrator, or you can prevent access to SharePoint sites by selecting none of the options.

The Address Information page allows you to include address information for the template. If you have a site with multiple users in multiple locations, you might choose to create a template based on the site address so that when users are added with the site-specific template, the correct address information is populated automatically to the user accounts. Alternatively, you can leave this information blank.

The Disk Quotas page, shown in Figure 16.4, is where you specify what the disk quota limits will be for the template, if any disk quotas are applied at all. The SBS default limits are populated in the wizard page but can be modified as necessary.

Figure 16.4. Templates can have disk quotas set by default.

Although customizing user templates can reduce user administration time, the level of complexity of a small business environment may not justify the time and effort needed to plan and develop custom templates. In a five-user network, for example, developing more than one custom template may be overkill. In a five-user network that is growing to 25 users, however, it may be justified.

Setting and Modifying User Limits

One of the objectives of the default SBS installation settings is to help protect a novice network administrator from misconfigurations that could end up crashing the server. Many of these are related to putting limits on disk space used so that the server system drive does not fill to capacity and bring down the system.

User configuration in SBS is no different. The SBS wizards place space limits on user accounts for mailbox size and disk space storage. These limits help keep the size of the Exchange database in check, and the disk capacity on the server is protected as well.

You may find, however, that the default limits provided by SBS simply do not match your environment. This section covers how to review and modify those settings.

Mailbox Usage

User mailboxes in the SBS implementation of Exchange 2003 are limited to 200MB. A warning is mailed to the user when the capacity of his mailbox reaches 175MB, but when the limit of 200MB is reached, all mail activitysending and receiving includedis blocked. These limits are set at the Mailbox Store and can be modified there if you want to change (or remove) the limits across the entire network.

You can get to the Mailbox Store Properties window, shown in Figure 16.5, from Server Management, Advanced Management, First Administrative Group (Exchange), Servers, servername, First Storage Group, Mailbox Store (servername), Properties. The Limits tab displays the current settings.

Also listed in the Limits page is the deleted items retention period, which is 30 days by default. Any of the settings on this page can be changed as needed for your particular environment. If the network has only five or six users and the volume of email sent and received by the user base is low, you may be able to remove the limits on the Mailbox Store and allow the users to store more email on the server than the limits would otherwise allow. On the other hand, you will need to keep a closer eye on the total size of the Mailbox Store if you remove the limits, because a Mailbox Store without limits can unexpectedly grow to the maximum 16GB size quickly and without warning. If that happens, follow the instructions in Chapter 13, "Exchange Disaster Recovery," to restore access to the database.

Actually, though, the settings for the mailbox limits are not enforced at the Mailbox Store level. The final arbiter for mailbox size limits is actually Active Directory. Each user object has settings that determine how much mail can be stored in the Mailbox Store. When you open the Storage Limits dialog from the Exchange General tab of the user's properties, shown in Figure 16.6, you see that the default setting is to use the Mailbox Store defaults for both the storage limits and deleted item retention. Modifying the values in this area of the user properties sets the actual values that will be used for that particular user.

At this point, you may be wondering why this discussion began with settings in the Mailbox Store and user properties instead of with the explanation of a wizard. Simply put, there is no wizard for modifying these settings. When you click on the Change Mailbox and Disk Quota Limits link in the Server Management Console, the Small Business Server Help and Information window opens with links explaining how to make changes to mailbox and disk quota settings for individual users and for all users. If you need to make changes to any of these settings, you make the changes in the Exchange configuration and in Active Directory, just like you would in a non-SBS network.

Disk Usage

As mentioned in the preceding paragraph, disk usage limits on the server are not configured with a wizard but directly in the properties of the volume where you want to set or modify limits. Settings for both individual users and all users are modified in the same location, the properties window of the volume, shown in Figure 16.7.

By default, SBS enables quotas on the volume where the User Shared Folders are stored. If all of SBS is installed on a single volume (not a good idea), the quota applies to the entire disk. If the User Shared Folders are stored on a different partition, such as D: in Figure 16.7, only that partition has quotas enabled. The default limits are 900MB for the warning and 1GB for the hard block.

Individual user quota entries can be set or modified by clicking the Quota Entries button on the Quota tab. The resulting Quota Entries window, shown in Figure 16.8, lists all the user objects, including user templates, their quota limits, and the amount of space used in size and percentage of quota.

Figure 16.8. The Quota Entries window details the quota settings for all user objects on the network.

From this window, you can edit the quota settings for the individual objects by double-clicking on the object. You can also add or delete quota entries using the icons in the toolbar. The Add User Wizard and the Remove User Wizard take care of the necessary quota entry management automatically. If you do remove a quota entry from the list, the next time that the user attempts to store data on the volume, the quota entry will be re-created with the default settings from the volume.

Note

If you delete a user object from the network without using the wizards, the quota entry for the user may not get removed. You can easily spot these entries because the Name field shows [Account Information Unknown], and the Logon Name displays a user SID. You can safely remove any entries like this from the Quota Entry screen.

Working with Security and Distribution Groups

Security groups and distributions groups have their own nodes in the Server Management Console tree. The level of management needed for these groups is not as complex as for user objects, but because user templates can use custom security and distribution groups, they are worth at least a brief mention.

Security groups and distribution groups are the two types of groups that can be defined in Active Directory. A security group is used to allocate or restrict access permissions to areas on the network for the members of the group. A distribution group creates a mail alias in Exchange that delivers messages addressed to the group to the mailboxes of each of the members of the group.

Managing Security Groups

When you select the Security Groups node in the Server Management Console, the list of all the security groups defined on the network appears, along with links for security group tasks. Table 16.2 describes the three tasks that can be performed on security groups from the Server Management Console.

Each security group has four tabs in the Properties page: General, which includes the name and description of the group; Members, which lists the user and other objects that belong to the group; Members Of, which lists the groups to which this group belongs; and Managed By, which identifies the user object responsible for managing the group, if any. These settings can be viewed by double-clicking on the group in the list, or by clicking the Change Group Properties task when the group object is selected.

Managing Distribution Groups

The same basic tasks present for security groups are also available for distribution groups in the Server Management Console, but one other task, Manage POP3 E-mail, appears as well. Whereas the properties page for a security group has only four tabs, the properties page for a distribution group has seven. The first four are the same as the security group, and the additional three are related to Exchange. Table 16.3 lists the settings organized into each of the tabs.