Orgainizational Unit OU control access to domain and resources

I have an OU that has been created for users that are strictly setup for accessing  email though our Exchange Server 2003.

These users should not have the ability log onto our Domain/workstations at our facility.  Is there a way though ADU&C to limit / restrict /  control these users / OU to only have access to email  and nothing else?
srfrdrewAsked:
Who is Participating?
 
Ron MalmsteadConnect With a Mentor Information Services ManagerCommented:
Create a Group Policy object (machine policy), that applies to all computers and servers in your network.

..in the policy find the setting...
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > "Deny Logon Locally"    

...add the users/groups that should be denied.

Also see...
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > "Deny Logon Through Terminal Services"  

 ...and add the same.
0
 
sunnyc7Commented:
These users should not have the ability log onto our Domain/workstations at our facility
>> Outlook requires that users are logged into the domain when you are connecting to exchange over MAPI. Otherwise you will have a different set of issues to fix.

You can configure restrictions on the OU on what resources they can access using GP's, but they have to be a member of the domain, and be able to log onto your domain.
0
 
srfrdrewAuthor Commented:
I need to figure out how to block them from logging onto our local machines whilst allowing them to still access our exchange server
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
srfrdrewAuthor Commented:
There has got to be a way, maybe not with AD but some other method.
0
 
Justin OwensITIL Problem ManagerCommented:
How will they be accessing their mailboxes?  You can use ADUC to "Allow Logon to only these computer" and leave the list blank.  This will make it so they cannot log into a domain computer.  You really need to use OWA if you do that, though, rather than a thick client.
0
 
srfrdrewAuthor Commented:
They are using outlook "thick" client
So if i set ADUC for that OU to allow logon to "only these computers" and leave list blank.

Would the oulook client still work outside the domain  (they are using RPC over HTTPS)

0
 
Justin OwensITIL Problem ManagerCommented:
It should, but you need to test. Also be aware, that they will get prompted for their domain credentials at least once, and more likely more often than that, while using Outlook from a non-domain machine.  Also, Outlook requires DNS to function correctly, so you will need to make sure your domain DNS servers are what your non-domain machines are using or you have an entry in your hosts file for both the netbios and the fqdn for your Exchange server(s).
0
 
Justin OwensITIL Problem ManagerCommented:
You will also run into issues when the passwords for those accounts expire.  Because they cannot log in, it will take administrative override to fix it.
0
 
srfrdrewAuthor Commented:
Those accounts do not have a password expirey.

I'm still unsure about can I or can't I do this?
0
 
Ron MalmsteadInformation Services ManagerCommented:
fyi - make sure you admin accounts are not members of any account you deny access to logon domain wide...or you will create trouble for yourself.
0
 
sunnyc7Commented:
There are too many issues to tackle from OU/GP level to get non-domain joined Outlook clients to access Exchange using MAPI.

Did you consider Dr.Ultima's suggestion of using OWA
Or you can use Secure IMAP on 995 ?
0
 
srfrdrewAuthor Commented:
This solution worked for me, the first solution offered didn't allow the users to access email using outlook https over rpc, this solution did
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.