Creating user in AD with Exchange mailbox with limited or no rights

Posted on 2011-05-09
Last Modified: 2012-05-11

We have some outside consultant that will need access to one of the mailboxes on Exchange 2007 system.

We have single forest with domain and child domain.

I have created user in Active Directory, but basic user has too many rights to all other resources.

Anyway to create limited user and limit only to Exchange mailbox?

We have tons of other resources, intranets, sharepoints, etc., that basic user can login.
Question by:itmti
    LVL 8

    Expert Comment

    Remove the user from "Domain Users" group, that will strip a lot of rights.


    Author Comment

    Does not work,

    created new group in ad, added that user to that group, made it primary group and removed Domain Users.

    Still able to authenticate to a lot of stuff, like intranets, sharepoints, etc.,  

    LVL 8

    Accepted Solution

    Domain Users probably grants "allow login locally" permissions on local machines, which would be removed. Other systems are probably using "Authenticated users" or something to authorize access. If the builtin group of "authenticated users" is being used to authorize things, you will have a hard time removing permissions. I'd suggest creating a group like "SharePoint users" granting access to the SharePoint site and remove "authenticated users"

    You might be able to add the account to the "Guests" group. Typically that group is explicitly barred from doing a great many things, that might be enough for you guys.

    Author Closing Comment

    Thanks for suggestions

    Author Comment

    What I did also was:

    created new user on new trusted forest.
    created linked mailbox on primary forest and gave permissions to that user from trusted forest.

    Everything worked ok, but still was able to get access to intranets, sharepoints as you said it is using authenticated users on those servers.

    So what else i did was went into that new users properties under AD, went into Account Tab, hit Log On To... and gave rights only to my Exchange webmail server.

    That did the trick!


    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now