Windows Small Business Server 2011 : Managing Computers (part 1) - Viewing and Modifying Client Computer Settings

You can manage the clients that are available on your network, along with many of the settings that control their availability and behavior, from the Windows SBS Console. To see a list of computers joined to your SBS domain, open the Windows SBS Console and click the Network button to open the Computers page, as shown in Figure 1.

From the Computers page, you can see a quick status for the computers on your network: which are online, which need updates, and which have other problems or warnings. When you click a computer in the list, a new section of the Tasks pane opens showing you tasks you can perform that are specific to the computer selected, as shown in Figure 2 where we’ve selected computer HP160-WIN7-01.

From here, you can offer remote assistance, connect directly to the computer using Remote Desktop (if the computer supports Remote Desktop), view the properties of the computer, check on update and other security-related status, and even remove the computer from the domain.

If there are problems with a client computer, you can select the computer and then click the Go To Security or Go To Updates links in the Tasks pane to navigate to the appropriate page of the Windows SBS Console.

1. Viewing and Modifying Client Computer Settings

To view or modify the properties and settings of a client computer in SBS, select the computer in the Windows SBS Console Computers page, as shown in Figure 2, and click View Computer Properties in the Tasks pane to open the Properties dialog box for the computer. From here, you can view the name of the computer, set the description of it, view the status of updates assigned to the computer, and control who has remote access to the computer.

To set the remote access to the computer, follow these steps:

UNDER THE HOOD: Controlling Local Access to a Computer

The SBS wizards allow you to control only remote access to a computer. Any SBS user with physical access to the computer can log on locally with at least Standard User privilege. This is not restricted by SBS in any way, despite what the help files appear to indicate. We think this is a mistake, and one that we frankly don’t understand—especially because the fix to directly control who has access to a computer is fairly easy. So we wrote a little script to do it. This script uses Windows PowerShell to directly edit the ADSI properties for a user account, enabling access to specific computers. If a computer isn’t explicitly granted access, it is denied after this script is run.

# Script Name: set-comprestrict.ps1
# ModHist: 12/07/08 - Initial
#               : 02/08/10 - Updated for SBS 2011
#
#  Script to restrict a user to one or more computers on an SBS 2011
network
#     Expects: two parameters--
#        logon name (sAMAccountName)
#        client computer names (in a quoted, comma separated list)
#
#  With Thanks to Richard Siddaway (Microsoft MVP) for his help.

# Copyright 2011 by Charlie Russel and Sharon Crawford. All rights
reserved.
#   You may freely use this script in your own environment, modifying it
to meet
#   your needs. But you may not re-publish it without permission.
#

param($UserName, $comp)
$_OU="ou=SBSUsers,ou=Users,ou=MyBusiness,dc=Example,dc=local"
$searchOU=[ADSI]"LDAP://$_OU"
$searcher= New-Object System.DirectoryServices.DirectorySearcher
$searchOU
$searcher.filter = "(&(objectClass=User)(sAMAccountName=$UserName))"

$userResult = $searcher.FindOne()
$user = $userResult.GetDirectoryEntry()

$user.userWorkstations = $comp
"Restricting user account: $UserName to clients: $comp"

$user.SetInfo()
"Computer access for $user has been updated."

					  

You’ll need to run this script, which is on the companion CD, from an elevated PowerShell console.