[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Creating user in AD with Exchange mailbox with limited or no rights

Posted on 2011-05-09
Medium Priority
Last Modified: 2012-05-11

We have some outside consultant that will need access to one of the mailboxes on Exchange 2007 system.

We have single forest with domain and child domain.

I have created user in Active Directory, but basic user has too many rights to all other resources.

Anyway to create limited user and limit only to Exchange mailbox?

We have tons of other resources, intranets, sharepoints, etc., that basic user can login.
Question by:itmti
  • 3
  • 2

Expert Comment

ID: 35724587
Remove the user from "Domain Users" group, that will strip a lot of rights.


Author Comment

ID: 35724657
Does not work,

created new group in ad, added that user to that group, made it primary group and removed Domain Users.

Still able to authenticate to a lot of stuff, like intranets, sharepoints, etc.,  


Accepted Solution

devinnoel earned 2000 total points
ID: 35724788
Domain Users probably grants "allow login locally" permissions on local machines, which would be removed. Other systems are probably using "Authenticated users" or something to authorize access. If the builtin group of "authenticated users" is being used to authorize things, you will have a hard time removing permissions. I'd suggest creating a group like "SharePoint users" granting access to the SharePoint site and remove "authenticated users"

You might be able to add the account to the "Guests" group. Typically that group is explicitly barred from doing a great many things, that might be enough for you guys.

Author Closing Comment

ID: 35724796
Thanks for suggestions

Author Comment

ID: 35724813
What I did also was:

created new user on new trusted forest.
created linked mailbox on primary forest and gave permissions to that user from trusted forest.

Everything worked ok, but still was able to get access to intranets, sharepoints as you said it is using authenticated users on those servers.

So what else i did was went into that new users properties under AD, went into Account Tab, hit Log On To... and gave rights only to my Exchange webmail server.

That did the trick!


Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question