user5500
asked on
Disable Client Logon, while enabling Outlook Logon
I need to be able to create a user account that is disallowed to from logging into any domain clients or but may still use outlook or OWA. . .I've tried denying logon under the "Account" in the "logon hours" setting in Active Directory; but it also prevents me from logging into the mailbox.
Last Comment
Qlemo
You could try to remove "logon locally" or "logon from network" in policies.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
where is this option?
Actually, Qlemo was on the right path. If I understand correctly you would like to insure that this user account can not log into any workstations in your domain. To do so apply a setting that tells the workstations the user can not login. Since this is at the workstation level only, AD authentication is not blocked on Domain Controllers or on Exchange Servers.
This can be accomplished and still allow OWA to authenticate on the exchange server/AD.
Create an AD group call DenyLocalLogon and add the user in question to this group.
Then Create a GPO called DenyLocalLogon.
Configure the GPO with the setting below:
Computer Configuration\Windows Settings\Local Policies\User Rights Assignments\
Deny Logon Locally <- Add AD group DenyLocalLogon to this.
Now that the policy is created... Click on the OU's that contains Workstations. This is accomplished
in GPMC by clicking on the OU/OU's that contain computers you would like to denylocallogon.
Right click on each OU and select Link Existing GPO and select DenyLocalLogon GPO.
Now everything should be set. The user account can use OWA, but can not logon to any of the workstations that you applied the GPO to.
This can be accomplished and still allow OWA to authenticate on the exchange server/AD.
Create an AD group call DenyLocalLogon and add the user in question to this group.
Then Create a GPO called DenyLocalLogon.
Configure the GPO with the setting below:
Computer Configuration\Windows Settings\Local Policies\User Rights Assignments\
Deny Logon Locally <- Add AD group DenyLocalLogon to this.
Now that the policy is created... Click on the OU's that contains Workstations. This is accomplished
in GPMC by clicking on the OU/OU's that contain computers you would like to denylocallogon.
Right click on each OU and select Link Existing GPO and select DenyLocalLogon GPO.
Now everything should be set. The user account can use OWA, but can not logon to any of the workstations that you applied the GPO to.
In my haste I gave you the wrong path to the setting its:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignments\
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignments\
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
