Remote Web Access is not allowed for your user account. Contact the person who manages your server.

Scenario:

We were hired by a customer to help troubleshoot an issue with Remote Web Access (RWA) after they had already migrated to Windows SBS 2011 Essential from Windows Server 2003 SBS. When people go to the RWA URL site, type username and password and hit login they get:

“Remote Web Access is not allowed for your user account. Contact the person who manages your server.”

They were unable to login not even as domain administrators.

The following error was logged in “C:\ProgramData\Microsoft\Windows Server\Logs\Dashboard”

[38300] 130221.160506.6590: IDENTITY: Add Group:RemoteAccess failed with ErrorCode:8ac

The following error was logged in “C:\ProgramData\Microsoft\Windows Server\Logs\WebApps\RemoteAccess.log”

[33088] 130220.211827.8285: RemoteAccess: [Identity] User validate passed but not permitted to enter.

Resolution:

It turned out that when the Windows server 2011 SBS Essential was migrated to from Windows Server 2003, a few steps were skipped in the process of migration! Here are the steps that are pertinent to the issue and that have fixed it for me.

1- Go to “Active Directory Users and Computers” and look for the security groups mentioned below, if you don’t find them then you must create them manually. To create those groups in Active Directory Users and Computers,, expand My Business, expand Users, and then expand SBSUsers. Right-click and click Create New Group. Create the group names below, click Security Group and for the scope for each group to Global, and then click Create. Repeat this step to create the remainder of the below security groups. (in short you need to create new security groups in Active Directory Users and Groups that didn’t migrated over – listed below – it could be anywhere in ADUC – nothing is special about that…). The groups are:

• RA_AllowAddInAccess
• RA_AllowComputerAccess
• RA_AllowDashboardAccess
• RA_AllowHomePageLinks
• RA_AllowNetworkAlertAccess
• RA_AllowRemoteAccess
• RA_AllowShareAccess
• WSSUsers

2- In “Active Directory Users and Computers” you also must add the “Authenticated Users” group to the “Pre-Windows 2000 Compatible Access” group.

In the navigation pane of Active Directory Users and Computers expand “YourDomainName”, and then click the Builtin folder. In the details pane, right-click the Pre-Windows 2000 Compatible Access group, and then click Properties. On the Members tab, click Add. Type Authenticated Users, and then click OK.

3- Now, because some accounts were migrated from the Windows 2003 Server, by default it does not have memberships to those Windows SBS 2011 Essentials security groups. To add group memberships to the accounts that you are using for migration, do the following:

Click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the navigation pane, expand YourDomainName, expand My Business, expand Users, and then expand SBSUsers. Open the administrator account or accounts to which you want to assign membership. Click the tab Member of and add all the “RA_…..” security groups above.

4- When creating new users account, use the Windows Small Business Server 2011 Dashboard instead of Active Directory Users and Computers.

5- If there is a user in Active Directory that you don’t see in the Dashboard, use the following steps to add it to the Dashboard:

Go to command line

cd “c:\Program Files\Windows Server\Bin”
Type WssPowerShell.exe
Type Import-WssUser -Name 

If you find this article helpful, please send me a note to Mike@bostonIT.com so I can keep on adding more hands-on knowledgebase articles.