Orgainizational Unit OU control access to domain and resources

I have an OU that has been created for users that are strictly setup for accessing  email though our Exchange Server 2003.

These users should not have the ability log onto our Domain/workstations at our facility.  Is there a way though ADU&C to limit / restrict /  control these users / OU to only have access to email  and nothing else?
srfrdrewAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunnyc7Commented:
These users should not have the ability log onto our Domain/workstations at our facility
>> Outlook requires that users are logged into the domain when you are connecting to exchange over MAPI. Otherwise you will have a different set of issues to fix.

You can configure restrictions on the OU on what resources they can access using GP's, but they have to be a member of the domain, and be able to log onto your domain.
0
srfrdrewAuthor Commented:
I need to figure out how to block them from logging onto our local machines whilst allowing them to still access our exchange server
0
srfrdrewAuthor Commented:
There has got to be a way, maybe not with AD but some other method.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Justin OwensITIL Problem ManagerCommented:
How will they be accessing their mailboxes?  You can use ADUC to "Allow Logon to only these computer" and leave the list blank.  This will make it so they cannot log into a domain computer.  You really need to use OWA if you do that, though, rather than a thick client.
0
srfrdrewAuthor Commented:
They are using outlook "thick" client
So if i set ADUC for that OU to allow logon to "only these computers" and leave list blank.

Would the oulook client still work outside the domain  (they are using RPC over HTTPS)

0
Justin OwensITIL Problem ManagerCommented:
It should, but you need to test. Also be aware, that they will get prompted for their domain credentials at least once, and more likely more often than that, while using Outlook from a non-domain machine.  Also, Outlook requires DNS to function correctly, so you will need to make sure your domain DNS servers are what your non-domain machines are using or you have an entry in your hosts file for both the netbios and the fqdn for your Exchange server(s).
0
Justin OwensITIL Problem ManagerCommented:
You will also run into issues when the passwords for those accounts expire.  Because they cannot log in, it will take administrative override to fix it.
0
srfrdrewAuthor Commented:
Those accounts do not have a password expirey.

I'm still unsure about can I or can't I do this?
0
Ron MalmsteadInformation Services ManagerCommented:
Create a Group Policy object (machine policy), that applies to all computers and servers in your network.

..in the policy find the setting...
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > "Deny Logon Locally"    

...add the users/groups that should be denied.

Also see...
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > "Deny Logon Through Terminal Services"  

 ...and add the same.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ron MalmsteadInformation Services ManagerCommented:
fyi - make sure you admin accounts are not members of any account you deny access to logon domain wide...or you will create trouble for yourself.
0
sunnyc7Commented:
There are too many issues to tackle from OU/GP level to get non-domain joined Outlook clients to access Exchange using MAPI.

Did you consider Dr.Ultima's suggestion of using OWA
Or you can use Secure IMAP on 995 ?
0
srfrdrewAuthor Commented:
This solution worked for me, the first solution offered didn't allow the users to access email using outlook https over rpc, this solution did
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.