Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Create an Active Directory OU for users with only Email/Exchange 2010 access

Posted on 2012-03-15
14
Medium Priority
?
352 Views
Last Modified: 2012-06-21
Hi There,

I'm wanting to setup an OU in Active Directory where I can place user accounts that only need Exchange/email access.  I wish to lock out any file access or any other domain rights.

If anybody has done this, please send me some pointers.
0
Comment
Question by:xdd-llc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
14 Comments
 
LVL 9

Expert Comment

by:dipersp
ID: 37725277
How will they access email?  Webmail?  Outlook over RPC?  

If you don't have any remote access for them to use and they're not physically on your network, it doesn't sound like an issue.  Give us the entry points that they could get in through (Terminal server?  Physical access to network) and let's see what we can figure.
0
 

Author Comment

by:xdd-llc
ID: 37726307
Email access would be either physically on the network or OWA.

Sorry, should of mentioned that before.
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37726572
By Default users can only login to Machines on the domain and do their work. Users can only access other services if explicitly allowed.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 9

Expert Comment

by:dipersp
ID: 37726692
OWA doesn't bother me, but the physical access does.

The question becomes, first - how many shares/files are setup with domain users, etc. as the access control.  If the person logging is physically on the network (And authenticating against the DC), they now have rights to any files/shares that have authenticated users, everyone or domain users as permissions.  So that's an issue there.

Even if they were logging into a workgroup PC, they could browse the network and, using their username and password that they already know for OWA, they could try getting into shares/files.  

It's a tough position.
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37726784
But when creating file and share dont give them the rights?
0
 
LVL 9

Expert Comment

by:dipersp
ID: 37726795
What about all of the existing files and rights?  I didn't get the impression this is a brand-new network.  If it is - piece of cake then.
0
 

Author Comment

by:xdd-llc
ID: 37729921
Thanks for the interest guys.

Yea it is an exsisting setup with roughly a dozen shares.

Maybe creating a security group that denies accesses explicitly to the shares, remote desktop, and other stuff?  Then tie it to an OU for 'email only'.  It means house keeping will need to be done and the denied list updated for the group as shares and such are added.

Unless there's a better way?

Thanks.
0
 
LVL 9

Accepted Solution

by:
dipersp earned 2000 total points
ID: 37731192
That's exactly how you'd have to do it.  I had to do this for a client - they had one person they wanted to give rights to one folder.  Unfortunately, most shares and permissions had been setup using domain users.

So you could setup a new group for the email only users, and explicity do a deny on the shares.  As for remote desktop, I wouldn't worry - unless you added something like domain users in with access to remote into machines.  By default, you have to be in the remote desktop or admin user's group of the machines.
0
 

Author Comment

by:xdd-llc
ID: 37824474
I've requested that this question be deleted for the following reason:

the question was never really answered<br />
0
 
LVL 9

Expert Comment

by:dipersp
ID: 37824475
We never heard any further from you on this.  Several of us gave you some ideas and thoughts to consider, but doing it exactly how you're looking to do it isn't possible, unless you came up with another way you'd like to share with us all.
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37825044
Agreed with dipersp. He should query further if required.
0
 
LVL 9

Expert Comment

by:dipersp
ID: 37843878
Recommend #4 - http:#37731192

Based on the information I had at that time, I laid out my suggestion of how to best create the group for the necessary users and what to look for and not worry about (Remote users).  If this wasn't good enough, more information would have been helpful.  What was originally proposed is not possible in my eyes.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question