I've reached the point in my migration where I've set up a WSE2016 server, and installed the connector software on most domain computers.
I noticed in my AD a bunch of new Security Groups created by the WSE2016 server. Two of them are WseRemoteAccessUsers and WseRemoteWebAccessUsers, and both of them are populated with EVERY user object in my AD, regardless of which OU it's in.
I don't think this is a good idea, since some of those user objects are for managed service accounts, disabled accounts associated with Resource Mailboxes, and other special-purpose user objects. Many of them don't reflect an actual human who would use Anywhere Access (either VPN or Remote Web Access). We have 50 employees, but because of all those extra user objects, both those groups have a total of 135 members in them.
Service accounts are used for a specific purpose, and that purpose does NOT include needing to, or being able to, log into the RWA or VPN services offered by WSE2016. I can remove the unwanted user objects from those security groups, but I never added them to those groups to begin with. So I expect that whatever process added them in the first place will just do so again if I remove them.
Enabling those remote access features on accounts that don't need them just increases the attack surface of the network and server while providing NO benefit to the organization.
Can Mariette or someone else provide more background about the functioning and purpose of these groups, and any best practices surrounding them? Google hasn't found me anything useful yet, though I'll keep looking.
Thanks,
Bryan