Add users to AD for authentication, but not for computer access

I am in a network setting where we use Win 2k3 Sevrer w/ AD for the faculty and staff of our school.  The students are authenticated by an Open Directory Mac OS X server.  This is not a problem for us as the OS X server can host a STUDENT Doamin for our student windows clients.  However, there are times whne I want to use other products' LDAP features for authentication - often these products work better, or only, with AD.  (I like having the two networks segregated for seurity purposes.)  Thus there are times when it would be nice to have users in the AD who could not login to computers on the network.  That way, if my Content Filter, Print server, etc. was using LDAP for authentication from teh Win 2k3 AD sevrer the names and passwords would be there for authentication.  Is ths possible?  I liken this to creating distribution groups as opposed to security groups in AD.  (We need the Open Directory Mac OSX server to stay for purposes of management of the Apple workstations.  It is possible to have Open Directory look at AD for authentication while maintaining apple client management but this adds several layers of complexity and generally teh addition of an expensive product - we do not want to do this)

Any help with this is appreciated.
Who is Participating?
I think you are going down the road of either Microsoft's RADIUS or a 3rd party like Funk (now Juniper) (steel-belted RADIUS).

Or you could in a sense create a user ID in AD, and set the "log on to these workstations" and not list anything.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.