User Roles in SBS2008 and SBS2011

Note: The screenshots in this post will be for SBS2011, but the procedure is identical for SBS2008.

SBS2008 and SBS2011 include a useful feature called “User Roles”. This allows us to configure several “templates” from which new users can be created through the SBS Add User Wizard.

User roles allow control over the following user attributes directly:

  • Remote Access:
    • Remote Web Workplace access
    • VPN and Dial-In access
  • Email Mailbox Quota
  • User’s Shared Folder quota on the server
  • Folder redirection if required
  • Group Membership
  • Access to the SBS Websites:
    • Remote Web Workplace
    • Outlook Web Access
    • Internal Intranet Site

To create or modify User Roles, open the SBS Administration Console, select the “Users and Groups” heading, then the “User Roles” tab.

user-roles

First let’s have a look at the 3 roles created as part of a standard SBS install. Double-click the “Standard User” role, and you’ll be presented with the settings screen for this role:

standard-user-role

By default, the Standard User in SBS2008/SBS2011 has the following attributes:

  • Allowed access to the Remote Web Workplace
  • Denied access to the server by VPN
  • 2GB Exchange Mailbox quota
  • 2GB Shared Folder quota
  • No folder redirection (unless the SBS Folder Redirection wizard has been run)
  • Membership of the following groups:
    • SBS Fax Users
    • SBS Link Users
    • SBS Remote Web Workplace Users
    • SBS Sharepoint Users
  • Access to all 3 SBS Websites:
    • Remote Web Workplace
    • Outlook Web Access
    • Internal Intranet Site

Changing any of these settings is as simple as selecting the appropriate tab on the left-hand side, updating the setting and clicking “Apply”. For example to increase the mailbox quote for the role, select the “Email” tab, set the limit as required an click “Apply”

standard-user-properties

So far, so simple. There are, however, a whole load more things you can do with User Roles with a bit of understanding as to how it actually works. Behind the scenes, each User Role is created as a disabled user account in Active Directory, and these accounts are used as “Templates” for user creation. To view these, open Active Directory Users and Computers (from the Administrative Tools start menu folder, or through Start à Type “dsa.msc” and press enter. Drill down to the SBSUsers folder under “<yourdomain>\MyBusiness\Users\” and you’ll see several disabled user accounts listed.

SBSUsers-OUYou can edit the settings of these “Template” accounts directly through Active Directory Users and Computers, and the settings will be reflected in users created with the associated User Roles. This allows many changes which aren’t available through the SBS Administration Console, including:

  • Changing the OU of users created through the wizard. New users created from a User Role will be created in the same Organizational Unit as the template they are based on. This is very useful if you have multiple departments and don’t want to manually move your users into the correct OU each time.
  • Active Directory user “Organization” settings, such as “Job Title”, “Department” and “Company”. This is useful because these attributes are available in Microsoft Exchange when configuring the scope of Email Address policies, among other things – see separate article on “Multiple Email Address Policies in SBS2008 and SBS2011”

You’ll notice that there are more Templates in Active Directory than there are Roles in the SBS Administration Console – this is because User Templates are actually a more general feature of Active Directory, and the SBS Roles feature adds additional functionality to this feature for specific users. For more information about Active Directory Templates in general, try here: www.trainsignal.com/blog/windows-server-2008-active-directory-users

The templates that relate to the Roles in the SBS Administration Console are:

  • “Standard User”
  • “Standard User with administration links”
  • “Network Administrator”

By way of example, the hypothetical company “Widgets Ltd” has 2 departments – “Buying Team” and “Selling Team”. 2 security groups have been created, “Buying” and “Selling”, which are used to control access to files and folders on the server. In addition, users should have the “Department” attribute set correctly to match the department they work in. To do this, we’ll create 2 new roles:

  • “Selling Team User”, which will be a member of the “Selling” group, have the “Department” attribute set to “Selling Team” and be placed in the “Selling Team” OU in active directory.
  • “Buying Team User”, which will be a member of the “Buying” group, have the “Department” attribute set to “Buying Team” and be placed in the “Buying Team” OU in active directory.

First we’ll create the new user roles. Open the SBS Management Console, select the “Users and Groups” heading, then then “User Roles” tab. Click the “Add a new user role” link on the right-hand side. This will open the “New User Role” wizard:

Add-New-User-RoleFirst we’ll create the “Selling Team User” role, using the settings in the image above. We can use the “Standard User” role as the base for this, as we only want to change a couple of settings.

Click “Next” to move on to the “Choose User Role Permissions”. This page lets us select the Group Membership for users created using this role. Click “Add”, find the appropriate group on the left-hand side, click “Add” to add it to the list of groups the user will be a member of, then click OK:

USer-Role-Groups

Repeat this process for any other groups theses users should be made members of.

The next 3 pages contain settings we don’t wish to change at this time, so we can just “Next” through all of these, then click “Add User Role”.

Repeat this process for the “Buying Team User” role, and we should see our 2 new User Roles in the SBS Console:

User-Roles-2

So far we’ve created a User Role that will make users a member of the correct security group, but we need to fix the “Department” attribute, and ensure users are created in the correct OU.

Open up the Active Directory Users and Computers administrative tool, and drill down to the SBSUsers OU:

User-Roles-In-Directory

Notice that the 2 User Roles we created earlier are listed here as disabled user accounts.

We’ll create 2 new organizational units, “Buying Team” and “Selling Team”, in the “SBSUsers” OU:

New-OUs

And then drag the “Buying Team User” and “Selling Team User” into the correct OUs:

Users-In-OUs

Now we can set the “Department” for the User Role by opening the properties screen, selecting the “Organization” tab, and typing in the correct Department:

User-Properties

Now our user roles should be ready. To test this, we’ll create a new user, called “Widget Seller”, using the “Selling Team User” role, and confirm that they are created in the “Selling Team” OU, are members of the “Selling” Security Group and have their “Department” attribute set to “Selling Team”.

Back in the SBS Console, run the New User Wizard by clicking the “Add New User Account” link on the “Users” tab of the “Users and Groups” heading. Select “Selling Team User” in the “Choose a user role” dropdown:

New-User-From-Role

Click “Next” and select a password for the user:

New-User-Password

Then click “Add User Account”.

Once the account has been created, we’ll go back to Active Directory Users and Computer and check that they have been created in the correct OU. Also open the properties of the user and confirm that the “Organization” and “Member Of” tabs show the correct “Department” and Group Membership respectively:

User-properties-correct

And that’s us done. Any new users created with the correct templates will automatically be placed in the correct SecurityGroups and OU, and have the correct “Department” attribute. The same process can be followed to set any other Active Directory user properties – new users will reflect the settings of the User Role on which they are based.

 

6 Comments

  1. Ryan

    HI, I appreciate the work you guys put into this guide. It has provided a solution that I have been looking for for some time now. The only issue I’m running into is I have an SBS 2008 box rather than a 2011, though I notice you say at the top the procedure is the same, however I am unable to get the new user accounts to retain the department attribute set on the user role. Could this be because I am running 2008 rather than 2011?

    Thanks in advance.

    • Admin

      Hi Ryan,

      I’ve just gone back and re-tested this and now I find that the Department attribute is not being set – odd, as I’m sure it was when this post was produced!
      My best advice is to use OUs matching the departments (which does work with the user role templates) and then you can apply the Department attribute using powershell like:
      Get-ADuser -Filter * -SearchBase “OU=YourDepartmentOU,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=YourDomain,DC=LOCAL” | Set-ADUser -Department “YourDepartmentName”

  2. Wallyb132

    I cant thank you enough for the information you provided in the post, it came in extremely handy as one of my clients just bought another company and I had to merge all of the users on to SBS, giving them email addresses for both domains without giving the domain of purchased company to existing employees.

    After following your walkthrough, I can confirm that neither the department or company info added to the new user template sticks when creating new users. I was however able to automate the email address assignments using separate AD containers and the email address policies. I just configured the email address policy to assign domains based on the OU of the user, with no other parameters configured. It worked like a champ, after i worked thru an unrelated error preventing the domain admin from creating mailboxes using the SBS console.

    Because of the error with the domain admin, the first test batch of users didn’t have mailboxes created, but were placed in the proper AD container. I created the mailboxes manually and applied the email address policy afterwards and it did its thing exactly as it was supposed to.

    Thank you again for the information!

    • Admin

      No worries, glad you found it helpful – when I get a few minutes free I’ll update it to reflect the fact that it doesn’t actually appear to operate as described with Department and Company – it definitely did at some point as I didn’t fake the screenshots, but for whatever reason it certainly doesn’t appear to work now. As you say though you can just use the Roles to ensure users go in the right OUs and then have powershell scripts to deal with the rest.

  3. Nick Clayden

    I am investigating an issue we get wherby user’s cannot log into their SBS2011 account.
    When we go to check that user’s account properties, we sometimes find that the username has disappeared from the username field. Once we type this back in and apply the change, the user is able to log in

    Is this an issue that you’ve come across before?

    • Admin

      Hi Nick,
      Are you looking at the user’s account properties from the SBS Administration Console, or from Active Directory Users and Computers? I don’t think I’ve seen this specific issue before.
      Jim

Leave a Comment

*