Add users to AD for authentication, but not for computer access

I am in a network setting where we use Win 2k3 Sevrer w/ AD for the faculty and staff of our school.  The students are authenticated by an Open Directory Mac OS X server.  This is not a problem for us as the OS X server can host a STUDENT Doamin for our student windows clients.  However, there are times whne I want to use other products' LDAP features for authentication - often these products work better, or only, with AD.  (I like having the two networks segregated for seurity purposes.)  Thus there are times when it would be nice to have users in the AD who could not login to computers on the network.  That way, if my Content Filter, Print server, etc. was using LDAP for authentication from teh Win 2k3 AD sevrer the names and passwords would be there for authentication.  Is ths possible?  I liken this to creating distribution groups as opposed to security groups in AD.  (We need the Open Directory Mac OSX server to stay for purposes of management of the Apple workstations.  It is possible to have Open Directory look at AD for authentication while maintaining apple client management but this adds several layers of complexity and generally teh addition of an expensive product - we do not want to do this)

Any help with this is appreciated.
jcaballero73Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TheCleanerCommented:
I think you are going down the road of either Microsoft's RADIUS or a 3rd party like Funk (now Juniper) (steel-belted RADIUS).

Or you could in a sense create a user ID in AD, and set the "log on to these workstations" and not list anything.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.