Note: The screenshots in this post will be for SBS2011, but the procedure is identical for SBS2008.
SBS2008 and SBS2011 include a useful feature called “User Roles”. This allows us to configure several “templates” from which new users can be created through the SBS Add User Wizard.
User roles allow control over the following user attributes directly:
- Remote Access:
- Remote Web Workplace access
- VPN and Dial-In access
- Email Mailbox Quota
- User’s Shared Folder quota on the server
- Folder redirection if required
- Group Membership
- Access to the SBS Websites:
- Remote Web Workplace
- Outlook Web Access
- Internal Intranet Site
To create or modify User Roles, open the SBS Administration Console, select the “Users and Groups” heading, then the “User Roles” tab.
First let’s have a look at the 3 roles created as part of a standard SBS install. Double-click the “Standard User” role, and you’ll be presented with the settings screen for this role:
By default, the Standard User in SBS2008/SBS2011 has the following attributes:
- Allowed access to the Remote Web Workplace
- Denied access to the server by VPN
- 2GB Exchange Mailbox quota
- 2GB Shared Folder quota
- No folder redirection (unless the SBS Folder Redirection wizard has been run)
- Membership of the following groups:
- SBS Fax Users
- SBS Link Users
- SBS Remote Web Workplace Users
- SBS Sharepoint Users
- Access to all 3 SBS Websites:
- Remote Web Workplace
- Outlook Web Access
- Internal Intranet Site
Changing any of these settings is as simple as selecting the appropriate tab on the left-hand side, updating the setting and clicking “Apply”. For example to increase the mailbox quote for the role, select the “Email” tab, set the limit as required an click “Apply”
So far, so simple. There are, however, a whole load more things you can do with User Roles with a bit of understanding as to how it actually works. Behind the scenes, each User Role is created as a disabled user account in Active Directory, and these accounts are used as “Templates” for user creation. To view these, open Active Directory Users and Computers (from the Administrative Tools start menu folder, or through Start à Type “dsa.msc” and press enter. Drill down to the SBSUsers folder under “<yourdomain>\MyBusiness\Users\” and you’ll see several disabled user accounts listed.
You can edit the settings of these “Template” accounts directly through Active Directory Users and Computers, and the settings will be reflected in users created with the associated User Roles. This allows many changes which aren’t available through the SBS Administration Console, including:
- Changing the OU of users created through the wizard. New users created from a User Role will be created in the same Organizational Unit as the template they are based on. This is very useful if you have multiple departments and don’t want to manually move your users into the correct OU each time.
- Active Directory user “Organization” settings, such as “Job Title”, “Department” and “Company”. This is useful because these attributes are available in Microsoft Exchange when configuring the scope of Email Address policies, among other things – see separate article on “Multiple Email Address Policies in SBS2008 and SBS2011”
You’ll notice that there are more Templates in Active Directory than there are Roles in the SBS Administration Console – this is because User Templates are actually a more general feature of Active Directory, and the SBS Roles feature adds additional functionality to this feature for specific users. For more information about Active Directory Templates in general, try here: www.trainsignal.com/blog/windows-server-2008-active-directory-users
The templates that relate to the Roles in the SBS Administration Console are:
- “Standard User”
- “Standard User with administration links”
- “Network Administrator”
By way of example, the hypothetical company “Widgets Ltd” has 2 departments – “Buying Team” and “Selling Team”. 2 security groups have been created, “Buying” and “Selling”, which are used to control access to files and folders on the server. In addition, users should have the “Department” attribute set correctly to match the department they work in. To do this, we’ll create 2 new roles:
- “Selling Team User”, which will be a member of the “Selling” group, have the “Department” attribute set to “Selling Team” and be placed in the “Selling Team” OU in active directory.
- “Buying Team User”, which will be a member of the “Buying” group, have the “Department” attribute set to “Buying Team” and be placed in the “Buying Team” OU in active directory.
First we’ll create the new user roles. Open the SBS Management Console, select the “Users and Groups” heading, then then “User Roles” tab. Click the “Add a new user role” link on the right-hand side. This will open the “New User Role” wizard:
Click “Next” to move on to the “Choose User Role Permissions”. This page lets us select the Group Membership for users created using this role. Click “Add”, find the appropriate group on the left-hand side, click “Add” to add it to the list of groups the user will be a member of, then click OK:
Repeat this process for any other groups theses users should be made members of.
The next 3 pages contain settings we don’t wish to change at this time, so we can just “Next” through all of these, then click “Add User Role”.
Repeat this process for the “Buying Team User” role, and we should see our 2 new User Roles in the SBS Console:
So far we’ve created a User Role that will make users a member of the correct security group, but we need to fix the “Department” attribute, and ensure users are created in the correct OU.
Open up the Active Directory Users and Computers administrative tool, and drill down to the SBSUsers OU:
Notice that the 2 User Roles we created earlier are listed here as disabled user accounts.
We’ll create 2 new organizational units, “Buying Team” and “Selling Team”, in the “SBSUsers” OU:
And then drag the “Buying Team User” and “Selling Team User” into the correct OUs:
Now we can set the “Department” for the User Role by opening the properties screen, selecting the “Organization” tab, and typing in the correct Department:
Now our user roles should be ready. To test this, we’ll create a new user, called “Widget Seller”, using the “Selling Team User” role, and confirm that they are created in the “Selling Team” OU, are members of the “Selling” Security Group and have their “Department” attribute set to “Selling Team”.
Back in the SBS Console, run the New User Wizard by clicking the “Add New User Account” link on the “Users” tab of the “Users and Groups” heading. Select “Selling Team User” in the “Choose a user role” dropdown:
Click “Next” and select a password for the user:
Then click “Add User Account”.
Once the account has been created, we’ll go back to Active Directory Users and Computer and check that they have been created in the correct OU. Also open the properties of the user and confirm that the “Organization” and “Member Of” tabs show the correct “Department” and Group Membership respectively:
And that’s us done. Any new users created with the correct templates will automatically be placed in the correct SecurityGroups and OU, and have the correct “Department” attribute. The same process can be followed to set any other Active Directory user properties – new users will reflect the settings of the User Role on which they are based.