We recently had SBS 2011 installed, an "upgrade" from our Server 2008. I'm stuck trying to figure out how I restrict a user account to have login access to only specific computers. The "old way" I would use Active Directory User and Computers and it was trivial and intuitive. However the new "SBS Console" way is defeating me. I've read the help and it's useless, for example:
Click each user account that you want to allow to access this
computer.
Oh that's cute, I just "click" the accounts to give access. No, there's more to it than that but the help lacks the detail to describe it. You do however select an account and then I'm assuming you select the level of access for that user. Problem is the two options I have are:
- Local Administrator
- Standard User
Seems like there should be a "No Access" option? The Windows documentation/help lacks any detail in this regard. I've also googled and can't seem to get away from results pertaining to remote access or group access. Specifically I'm trying to understand the correct way to limit a user account to access only a single machine. Furthermore… what if I wanted to control what days and hours they can access the computer? Is that too "advanced" for SBS?
Side question: Am I a fool for trying to use the console? I'm not an IT pro, I just know enough to (usually) get basic things done on my network and server. Do you pros ditch the console and use the more powerful, less dumbed-down tools?
Best Answer
You're fine to use the functionality you've always used in "Active Directory Users and Computers" to make the changes you want. The "friendly" administration tool should always be used, wherever possible, but in this case you'd have no choice but to break out the "real" tools. The product isn't tremendously different from Windows Server 2008 R2 underneath, and you won't break anything using the time / day restrictions and client computer restrictions functionality. (What you don't want to do is completely ditch the SBS administration tools if you intend them to ever function as-expected. It's recoverable if, for example, you decide to start making accounts using AD Users and Computers and later decide to switch back to the SBS Console but, in general, you just shouldn't go there to begin with.)