Gaining access to the resources of the SBS network requires a
domain user account, which authenticates the identity of the person
making the connection and controls what resources a user has the right
to access.
In Windows SBS 2011, by default all user accounts fall into one
of three roles, or categories:
Each user account you add will be based on one of these
user roles (or on another user role that you create). In
the interests of sanity (your own), keep the number of user roles to a
minimum. It is far easier to control access through group membership
rather than creating multiple user roles. You also have the ability to
change the specifics of access and resource limits for individual user
accounts, but resist the temptation. It can quickly get
unmanageable.
1. The Standard User Role
Most SBS users should be assigned the Standard User role. This role enables access to shared
folders, email, the Internet, printers, fax services, Remote Web
Workplace, and SharePoint Foundation (Companyweb). All of these
access points can be configured within the Standard User Role. To
make changes to the Standard User role, start the Windows SBS
Console and follow these steps:
Click Users And Groups and then click the User Roles tab.
Right-click Standard User and select Edit User Role
Properties. The Standard User Properties dialog box will open,
as shown in Figure 1. In the left
pane, click a category to see the settings for this role.
General displays a description of the role.
Remote Access shows how the user role can access the
network from a remote location. By default, anyone with this
user role can access Remote Web Workplace and is
automatically a member of the Windows SBS Remote Web
Workplace Users. An optional setting is to allow the user
role to access the Virtual Private Network. Selecting this
check box adds all users assigned to this role to the
Windows SBS Virtual Private Network Users group.
Email allows you to set a maximum mailbox size. Clear
the check box if you don’t want to impose a limit on the
amount of disk space a user can use for storing mail.
Folders is a page for managing and redirecting folders
for the user role. As on the Email page, you can enforce a
limit on the size of shared folders. In addition, folder
redirection can be set and a folder redirection quota
imposed.
Groups shows the group membership for users assigned
this role. You can add a group membership by clicking Add or
remove a group membership by highlighting a group and
clicking Remove.
Web Sites allows the choice of sites to be available
to this user role.
Warning:
IMPORTANT All the
users assigned the same role will have the same settings.
Changes you make to a user role won’t just change future user
accounts, they will change all accounts assigned to that role.
Don’t remove any of the standard group memberships from any of
the default SBS roles. Doing so will likely have unintended
consequences.
Click OK when finished. You are asked if you want to apply
the customization to all accounts based on the role. Click Yes
and the user role changes are applied.
2. The Standard User with Administration Links
The Standard User with Administration Links role has, as
you’d suspect, the Standard User role access plus membership in groups
that give users assigned this role the ability to perform
administrative tasks. Click the Groups link to view the groups that
this role includes.
3. Network Administrator Role
The Network Administrator Role provides unrestricted
system access to any account it is assigned to. The E-mail and
Folders settings are the same as for the other default roles. Remote
Access and Web Sites are different, however. On the Remote Access
page, you can add or remove access to the virtual private network,
but not to the Remote Web Workplace (which is on by default).
Similarly, the Web Sites page allows Outlook Web Access to be
granted or withheld, but all accounts based on the Network
Administrator role will have access to Remote Web Workplace and the
internal website.
If your network is administered by a third-party provider,
access to Outlook Web Access and your virtual private network (if
you have one) isn’t necessary, but an administrator must be able to
log on to the server.
4. Creating a New User Role
Perhaps you have some users for whom none of the standard
user roles is appropriate. In that case, it’s simple
to create a new user role by following these steps:
Open the Windows SBS console, select Users And Groups, and
then select User Roles.
In the Tasks pane, select Add A New User Role to start the
wizard.
In the Add A New User Role page, shown in Figure 2, enter text in the
User Role Name and Description fields.
By default, the new user role is set to be based on the
existing Standard User role. Clear the check box if you want to
start from scratch, or choose another user role to base the new
role on.
Also by default, the new user role will appear as an
optional choice when creating new user accounts. Clear the check
box if you don’t want the role to display in the Add New User
Account Wizard or the Add Multiple New User Accounts
Wizard.
To make the new user role the default choice when adding
new user accounts, select the check box labeled The User Role Is
The Default In The Add New User Account Wizard And In The Add
Multiple New User Accounts Wizard. Click Next.
On the Choose User Role Permissions (Group Membership)
page, add or remove group memberships. Remember that all user
accounts you base on this role will inherit these same
memberships. When you’ve adjusted group memberships, click
Next.
On the Choose E-mail Settings page, enforce or remove a
mailbox size quota for this user role. Outlook Web Access is on
by default, but you can remove that as well if you want. Click
Next.
Choose the remote access settings for this user role, as
shown in Figure 3. Click
Next when you have made these settings.
On the Choose Share Folder Access For This User Role page,
choose the Shared Folder settings for the user role, including
the quota limits that will be applied. Select Back to return to
previous pages to change any of your selections. When finished,
click Add User Role.
The New User Role Was Added Successfully To The Network
page announces that the new user role has been added and
provides an option to add a user account or multiple user accounts. Click
Finish or one of the selection areas to proceed to adding accounts.
