Create an Active Directory OU for users with only Email/Exchange 2010 access

Hi There,

I'm wanting to setup an OU in Active Directory where I can place user accounts that only need Exchange/email access.  I wish to lock out any file access or any other domain rights.

If anybody has done this, please send me some pointers.
xdd-llcAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

diperspCommented:
How will they access email?  Webmail?  Outlook over RPC?  

If you don't have any remote access for them to use and they're not physically on your network, it doesn't sound like an issue.  Give us the entry points that they could get in through (Terminal server?  Physical access to network) and let's see what we can figure.
0
xdd-llcAuthor Commented:
Email access would be either physically on the network or OWA.

Sorry, should of mentioned that before.
0
abdulalikhanCommented:
By Default users can only login to Machines on the domain and do their work. Users can only access other services if explicitly allowed.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

diperspCommented:
OWA doesn't bother me, but the physical access does.

The question becomes, first - how many shares/files are setup with domain users, etc. as the access control.  If the person logging is physically on the network (And authenticating against the DC), they now have rights to any files/shares that have authenticated users, everyone or domain users as permissions.  So that's an issue there.

Even if they were logging into a workgroup PC, they could browse the network and, using their username and password that they already know for OWA, they could try getting into shares/files.  

It's a tough position.
0
abdulalikhanCommented:
But when creating file and share dont give them the rights?
0
diperspCommented:
What about all of the existing files and rights?  I didn't get the impression this is a brand-new network.  If it is - piece of cake then.
0
xdd-llcAuthor Commented:
Thanks for the interest guys.

Yea it is an exsisting setup with roughly a dozen shares.

Maybe creating a security group that denies accesses explicitly to the shares, remote desktop, and other stuff?  Then tie it to an OU for 'email only'.  It means house keeping will need to be done and the denied list updated for the group as shares and such are added.

Unless there's a better way?

Thanks.
0
diperspCommented:
That's exactly how you'd have to do it.  I had to do this for a client - they had one person they wanted to give rights to one folder.  Unfortunately, most shares and permissions had been setup using domain users.

So you could setup a new group for the email only users, and explicity do a deny on the shares.  As for remote desktop, I wouldn't worry - unless you added something like domain users in with access to remote into machines.  By default, you have to be in the remote desktop or admin user's group of the machines.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
xdd-llcAuthor Commented:
I've requested that this question be deleted for the following reason:

the question was never really answered<br />
0
diperspCommented:
We never heard any further from you on this.  Several of us gave you some ideas and thoughts to consider, but doing it exactly how you're looking to do it isn't possible, unless you came up with another way you'd like to share with us all.
0
abdulalikhanCommented:
Agreed with dipersp. He should query further if required.
0
diperspCommented:
Recommend #4 - http:#37731192

Based on the information I had at that time, I laid out my suggestion of how to best create the group for the necessary users and what to look for and not worry about (Remote users).  If this wasn't good enough, more information would have been helpful.  What was originally proposed is not possible in my eyes.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.