You can make this change by doing one of the following:
- Use a Remote Desktop connection to connect to the Windows SBS computer.
- Install the Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a computer that is running Windows XP Professional.
For more information about the Windows Server Administration Tools Pack, see How to use the Administration Tools Pack to remotely administer computers that are running Windows Server 2003, Windows XP, or Windows 2000.
To remove members from the Remote Operators group and the Domain Power Users group, follow these steps:
- After you connect to the computer that is running Windows SBS by using a Remote Desktop connection or by using the Windows Server Administration Tools Pack, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
- Expand the domain object, expand MyBusiness, and then click Security Groups.
Note In this example screen shot, the domain object is "contoso.local." Your domain object will be your_domain.local, where your_domain is the name of your domain.
- Double-click Remote Operators, and then click the Members tab.
Note The Domain Power Users group always appears in the Members list. Although this screen shot doesn’t show other members, your screen may show other groups or user accounts in the list. When you remove groups or user accounts from the Members list, do not remove the Domain Power Users group.
- Click the user account or the group that you want to remove, click Remove, and then click Yes to confirm the removal.
- Repeat step 4 for every account or group that you want to remove, and when you are finished, click OK.
- In the Security Groups list, double-click Domain Power Users.
- Click the Members tab.
Note Only the Power User Template and user accounts that the Power User Template is applied to should appear in the Members list. Do not remove the Power User Template or the user accounts that have the Power User Template.
IMPORTANT: When you apply the Power Users Template to a user account, that user account is specifically denied access to log on to the Windows Small Business Server 2003 computer from the local console. Therefore, don't apply this template to an Administrator account. For more information about how to apply templates to user accounts, see the "Manage users and groups" topic in Windows Small Business Server Help and Information.
- Click a group or account that you want to remove, click Remove, and then click Yes to confirm the removal. In particular, make sure that you remove the Administrator account or any group that might contain the Administrator account.
Note Sometimes, the Administrator account may become a member of the Remote Operators group or the Domain Power Users group throughgroup nesting. For example, the built-in Administrator account is automatically a member of the Mobile Users group. Therefore, if you add the Mobile Users group as a member of the Remote Operators group, the Administrator account automatically becomes a member of the Remote Operators group because the Mobile Users group is nested in the Remote Operators group.
By default, the built-in Administrator in Windows Small Business Server is a member of the following groups:
- Domain Admins
- Domain Users
- Enterprise Admins
- Group Policy Creator Owners
- Mobile Users
- Schema Admins
- In Active Directory Users and Computers, click Users.
Note Make sure that you click the Users folder in the domain container and not in the MyBusiness container.
- Double-click Administrator.
- Click the Member Of tab.
- Double-click the groups that are listed on the Member Of tab to open their properties. If the group membership settings on the server are very different from the default settings, make sure that the groups that contain the user account are not nested in other groups.
- When you are finished changing the group membership, click OK.
To grant a user rights to to perform administrative tasks over a Remote Desktop connection to the Windows Small Business Server 2003 computer, apply the Power Users Template to that user account. You can apply this template when you create the user account or by running the Change User Permissions Wizard.
When this issue occurs, an event that resembles the following may appear in the Security log in the Event Viewer: