3. User Tasks
General User Tasks
• Add new account
• Add multiple accounts
• Change user roles for accounts
• Change password policies
• Redirect folders
• Help
Specific User Tasks
• Edit user properties
• Remove user account
• Reset user password
• Change group membership
• Disable user account
• Add new user role based on this user
• Print a Getting Started page for user
4. Modifying User Account Properties
Properties
• Remote access permissions
• VPN permissions
• E-mail information and
mailbox quotas
• Access to Remote Web Access
• Access to Outlook Web Access
• Computer access
• Access to internal shared folders
• Group membership
5. User Roles and Groups
User Roles
• Add a new role
• Edit role properties
• Remove role
Groups
• Add new group
• Edit group properties
• Change group membership
• Remove group
6. Best Practice
Security best practice for managing
user accounts:
• Implement strong passwords
• Change password policies
• Educate users
• Do not use the administrator
account for daily work
7. Managing with the Windows SBS Console
Network Page
Computers
Devices
Connectivity
8. Pre-deployment Administrative Tasks
Did you check applications for compatibility?
Do you have the latest BIOS?
Drivers up-to-date?
Latest service packs and security updates applied?
Network connectivity configured properly?
Local admin password set and documented?
9. Connecting Client Computers
http://connect
• From Internet Explorer address bar
Connect Computer Wizard
• From portable media (USB)
User can join the client computer
• Does not require administrative privileges
10. Connect Client Computer Wizard
Launch Client Computer Wizard
Set up for yourself Set up for others
Runs Client Advisor utility
Enter username Enter admin name
Enter password Enter admin password
Verify computer name
Move profile data Assign user
Move profile data
Select user role
Restarts computer, joins to the SBS domain
11. Managing Client Computers
Computer Properties
• General settings
• Administer user access to the client
• Configure updates
13. Managing with the Windows SBS Console
Shared Folders and Web Sites Page
Shared
Folders
Web
Sites
14. Redirecting User’s Folders
Applies GPO to redirect
Redirect folder options:
• Desktop
• Documents
• Start Menu
2GB default storage quota
Enables Previous Client Version
Enables Offline Files
15. Using Shared Folders
Users access data stored on the SBS server using network
shared folders
• Windows Search Service allows users to quickly find files
The Company folder is created by default
Administrators use the Dashboard to create
additional shared folders
Access is controlled using simplified permissions:
• Full access (Read/Write)
• Read only
• No access
Shared folders support Shadow Copies
• Users can use Previous Versions tab in Windows Explorer to recover accidently
deleted or overwritten files
16. Remote Web Access
RWA Features
• E-mail, Calendars, Contacts via Outlook Web Access
• Intranet portal (Companyweb)
• Computer desktops (Admins can connect to the SBS server)
• Shared folders
• Single Sign-On experience
• Self-service password change
17. Customizing Remote Web Access
Customizable features:
• Remote Web Access user access
• Remote Web Access sign-in page
• Remote Web Access home page
• Check e-mail
• Connect to computer
• Internal Web site (SharePoint)
• Change password
• Help
• Organizational links
• Administration links
18. Remote Web Access Requirements
Prerequisites to access RWA
• Member of Remote Web Access users
• RDP client software 6.0 or later
• Router ports 443 and 987 must be open and
forwarded to SBS server
• optionally port 80 for redirection to port 443
• Ports 443 and 987 must be open on the SBS server
• optionally port 80 for redirection to port 443
• Browser must accept cookies
19. Request & Install a Third-party Certificate
Windows SBS 2011 creates a self-issued certificate that
can be used to established secure remote connections
• Connected client computer have certificate installed automatically
• Remote client computers must install certificate manually
• PDAs/smart phones must install this certificate
Certificates generated by third-party providers are
easier to implement and manage
• Nothing to install on client devices
• Have become very inexpensive
20. Configuring Mobile Devices
What is Exchange ActiveSync? (EAS)
Mobile devices supported
• Microsoft® Windows Mobile® 5.0 (Messaging & Security Feature
Pack)
• Windows Mobile® 6.x and Above
• Any device that supports Exchange ActiveSync
Exchange ActiveSync features
• Direct Push
• Device Security policy enforcement
• Remote device wipe
22. TEŞEKKÜRLER
SBS Kaynak Blogu,SBS Hakkında
Herşey:
www.sbs-2008.com
System Center Blogu,Tüm System
Center Ürünleri tek blogta:
systemcenterblog.wordpress.com Microsoft Türkiye:
www.microsoft.com/turkiye
Small Business Server 2011 Standard
hakkında daha fazla bilgi:
www.microsoft.com/sbs
Mustafa KARA kişisel blog:
www.mustafakara.net.tr
Hinweis der Redaktion
Key Message: Title Slide Instructor:Introduce Module
Timing: 1 min max. Key Message: Run through the agenda for the presentation.Instructor: Describe the course agenda.
Timing: 2 min Key Message:User management is fully integrated into SBS 2011 Standard console. Instructor: All user management can be performed within the SBS 2001 Standard Console. This includes simple add-user wizards, editing user properties and defining user roles. Basically all user account management is centralized in a single view. For users, administrators can Add new accountAdd multiple accountsChange user roles for accountsChange password policiesAutomatically enable Redirected foldersEdit user propertiesRemove user accountReset user passwordChange group membershipDisable user accountAdd new user role based on this userPrint a Getting Started page for userThis user wizard will also create mailboxes, and determine access to tools such as RWA.Slide Transition Note: Lets look at modifying user accounts
Timing: 1 min Key Message:All user account properties are stored in simple admin view Instructor: Modifying user properties is simple, and you have very granular control using a simple inbuilt tool. You can not only do simple tasks like update user information and reset the user password, you can also determine email, RWA and SharePoint access through a single view. In the user properties view you can administerRemote access permissionsVPN permissionsE-mail information andmailbox quotasAccess to Remote Web AccessAccess to Outlook Web AccessComputer accessAccess to internal shared foldersGroup membershipSlide Transition Note: Lets look at User roles and groups
Timing: 2 min Key Message:SBS 2011 Standard has a number of inbuilt user roles to provide a base level template for new users, which can be customized or created from new. Instructor: Role in SBS 2011 Standard provide a standard template in creating new users. They can define the level of access to certain resources, mailbox quotas, external access and much more. By using User Roles, you can ensure that new users all adhere to the same level of access for that specific use type. You can also create new User Roles and apply them to new users (as well as defining a User Role from a new or existing user themselves). Groups are simple to create, edit and maintain using the Group task. Admins can Add new groupsEdit group propertiesChange group membershipRemove groupsSlide Transition Note: Lets look at some best practices in regards to new and existing users
Timing: 2 min Key Message: User security is low in many SMB’s, and through implemented process and user guidance you can increase identity security easily. Instructor:Implement strong passwords:Password policies are a set of rules that can enhance the security of your SBS 2011 Standard network. Using strong password provides an additional layer of defense against an unauthorized user gaining access to your network. To help implement strong passwords, password polices are enabled by default during installation. You can ensure that users implement strong passwords by enforcing password polices in your network. The password policies in SBS 2011 Standard include the following:Minimum length Enable this policy to determine the least number of characters that a password can contain. Setting a minimum length helps protect your network by preventing users from having short or blank passwords. The default is eight characters.Complexity Enable this policy to determine whether passwords must contain different types of characters. If this policy is enabled, passwords cannot contain all or part of a user's account name, and it must contain characters from three of the following four categories: ·English uppercase characters (A through Z) ·English lowercase characters (a through z) ·Numerals (0 through 9) ·Non-alphanumeric characters (such as , !, $, #, %)Maximum age Enable this policy to determine the period of time (in days) that a password can be used before the system requires that the user change it. The default is 42 days.Educate usersAfter implementing strong password policies, educate users about strong and weak passwords. Ask users to treat their password as they would private information, such as a credit card personal identification number (PIN). Following are typical guidelines for creating a strong password. When implemented, they provide protection for your local network.A strong password consists of the following:·At least eight characters.·Characters from three of the following four categories:·Uppercase letters (A through Z)·Lowercase letters (a through z)·Numbers (0 through 9)·Non-alphanumeric characters (for example, !, $, #, %)Do not use administrator accounts for daily workBecause user accounts that are based on the Network Administrator user role are very powerful, consider basing user accounts on the Standard User user role. Using the Network Administrator user role increases the chance that the user will inadvertently delete important files or gain unintended access to an account with administrative permissions
Timing: 1 min Key Message:All computer, device (such as fax and printers), and connectivity (such as Internet connection administration) is performed via the Network tab Instructor: Using the Network tab you can view the current state of all Servers and PC’s on your network (such as general, security and update status) and enable power management policies for Vista and Windows 7 clients. You can also add new printers and fax cards, as well as administer your internet connectivity and associated tools.Slide Transition Note: Lets look at connecting clients to SBS 2011 Standard
Timing: 2 min Key Message:Management of PC’s is done via the computer tab under the network page in the console.Instructor: Administering computers is simple through the computer tab in the console. From here you can view computer properties (such as users who can access the machine locally or via RWA, patch management status, and general information about the PC).Slide Transition Note: You can even offer remote assistance from the console
Timing: 2 min Key Message:Management of Shared folders and websites such as RWA is performed via the Shared Folders and Websites page in the consoleInstructor: Creating, administering or deleting shared folders is completed via the shared folders tab. Sharing a folder may sound easy, but can be complex to a users with low IT skills. SBS makes this easer by using a simple wizard for creating and sharing new and existing folders. Including extending them to SMB/NFS, Quota ability and DFS. You can also configure client folder redirection using this tool. Why is this important – Folder Redirection ensure you can capture local user data and personalization to the centralized server. This allows further client redundancy, allowing you to centralize your data and provide full backups.Further to this the core SBS websites such as RWA, OWA and SharePoint access can be administered through these tools. While deeper configuration will be done via the specific admin tools (such as IIS for RWA and OWA, and SharePoint Central for SharePoint Foundation), activities such as user permissions/access, customization, and links can be configured using this tool.Slide Transition Note: Lets look more at redirected folders
Timing: 2 minKey Message: Users access SBS network shared folders based on a simplified set of permissions Instructor:Users access data stored on the SBS server using network shared foldersWindows Search Service allows users to quickly find filesThe Company folder is created by defaultAdministrators use the Dashboard to createadditional shared foldersAccess is controlled using simplified permissions:Full access (Read/Write)Read onlyNo accessShared folders support Shadow CopiesUsers can use Previous Versions tab in Windows Explorer to recover accidently deleted or overwritten files
Timing: 2 min Key Message:Remote Web Access provides a simple way for external and roaming users to access content, email, company intranet and important links through a browser.Instructor: Remote Web Access is the new update of the Remote Web Workplace. It provides external access to a pre-installed secured portal from most web browsers. Users can access their email and calendar, contacts and tasks through Outlook Web Access. You can also access your intranet (CompanyWeb) based on Sharepoint Foundation Server 2010. Access to data stored in shared folders is also capable, including download and uploading of content. Users can also change passwords through the self-service password change tool, and take control of internal clients on the intranet securely through the in-built RDS gateway.Slide Transition Note: Lets look at customizing the RWA experience
Timing: 2 min Key Message:Remote Web Access provides many ways to customize the experience including logon pages, access rights for users and various features.Instructor: The below list shows the customization features.Remote Web Access user access:Specify which users and groups have permission to sign in to Remote Web Access. Remote Web Access sign-in page:Display the name of your organization and choose a custom background image. Remote Web Access home page:Provide a name, description, and logo for your Remote Web Access to display on the home page. You can also choose which Organizational and Administration links to make available to Remote Web Access users to suit the needs of your organization. Check e-mail:Display this link to enable users to access their e-mail and calendar from your Outlook Web Access site:Connect to computerDisplay this link to enable users to establish a remote connection to a computer at work. Internal Web Site (SharePoint):Display this link to enable users to connect to your organizations Internal Web site. Access Shared Files:Display this link to enable users to access files and folders that are shared by network users. Owners of shared files and folders assign and manage access permissions for their content. Change password:Display this link to enable users to change their network passwords. Help:Display this link to give users access to Help topics for learning about network features. Organization links:Display this link section to expose custom links that are specific to your organization. Add, edit, and remove links in accordance with the needs of your organization. Personal links:Display this link section to give users access to the personal links that they added by using the Desktop Links gadget. Administration Links:Display this link and assign permissions to enable users with administrative roles to use Remote Web Access to perform assigned tasks. Slide Transition Note: Lets look at RWA requirements
Timing: 2 min Key Message:Users must have rights to access RWA, and the router must be correctly configured to support external RWA access.Instructor: These are the minimum requirements a client must meet in order to access RWA features.RWA is setup out of the box and finalized when running the IAMW, and only client side configuration is required for access. Further customizations to RWA can be done in the SBS management console.Students may wonder why the Router does not need port 3389 for RDP. This is due to RWA using the RDS Gateway which does not require 3389.Slide Transition Note: lets look a securing our access to RWA
Timing: 2 min Key Message: Using 3rd party certificates is easy and simple to use, integrated into the wizard and saves the hassle of installing on multiple machines.Instructor: This is a fairly straight forward process in SBS. SBS Management console>Network tab>Connectivity , in the task pane “Add trusted certificate”The wizard launches and asks you to verify your domain information. On the Generate a certificate request page, click Generate request. Windows Small Business Server 2011 Standard server generates encoded information that the certification authority requires. After the request is generated, click Copy, and then paste the information into the space provided on the certification authority's Web site.If you do not receive the certificate information from the certification authority immediately, do the following:Verify that I will re-run the wizard after I receive the certificate file from my certificate-service provider is selected, and then click Next.On The certificate request was postponed page, click Finish.If you receive the certificate information from the certification authority immediately, do the followingClick I am ready to import the certificate file from my certificate-service provider, and then click Next.On the Import the trusted certificate file page, browse to the location where you saved the trusted certificate file, and then click Next.On The certificate file is installed page, click FinishIn order to run this wizard, the IAMW must have first been completed and Internet address setup successfully.Slide Transition Note: Lets finish up with looking at remote devices
Timing: 2 min Key Message:Exchange ActiveSync supports mobile connection to your email server through RWA. Users can access email, contacts and calendar easily and support activities such as direct mail push, device policy enforcement and remote device wipe.Instructor:What is Exchange Active Sync?Exchange ActiveSync is a communications protocol that enables mobile access, over the air, to e-mail messages, scheduling data, contacts, and tasks. Exchange ActiveSync is available on Windows Mobile powered devices and third-party devices that are enabled for Exchange ActiveSync.Uses Direct push technology which is an encrypted HTTPS connections established between the client and the server.Configuring the mobile device to sync with Exchange (for a device using ActiveSync)After you have installed the certificate on the mobile device and confirmed that the mobile device can use the Internet service provided by the user's wireless carrier, complete the following tasks: On the Today screen, tap Start, and then tap ActiveSync. This displays the ActiveSync screen.Tap Menu, and then tap Configure Server.Tap anywhere within the address bar, and then type the Exchange ActiveSync URL, such as https://remote.domainname.com. Select This Server Requires An Encrypted (SSL) Connection.Click Next. When prompted, enter your user name, password, and domain information.Select the Save Password check box, and then click Next.Select the types of information you want to sync with the server, such as inbox, calendar, and contacts, and then click Finish.It will take a couple of minutes to sync the first time depending on the size of the users mailbox and speed of the wireless connection.
Key Message: Elicit questions from the audience.Instructor:Timing: As long as necessary.
