Posted on 2013-01-04
Last Modified: 2013-01-04
I am trying to set up an account that only has access to email. We do not want them to have access to anything else on our server. I am not sure how to do it.
Thank you
Question by:moses417
  • 3
  • 3
LVL 15

Expert Comment

ID: 38744046
Do not connect to domain, leave on workgroup.

Give them access to OWA via web

Author Comment

ID: 38744053
ok, what do i do if they have already been connected to the domain and i do not have access to their computer?
LVL 15

Expert Comment

ID: 38744073
You need to take them off the domain.

Otherwise, if you have access to the server you can change their user account rights.

ie take them out of all groups and just add mail rights.

If on domain they will still be able to browse though. Need to take off domain, turn off network discovery etc. Reduce user rights and give access to OWA via Internet.
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.


Author Comment

ID: 38744102
I am sorry for all the probably basic questions but I am still learning. how do i turn off network discovery etc for the user? is it in Active Directory or somewhere else? I have removed all of the rights other then the default group permissions. should I create a new group that has no permissions? then assign that to them?
LVL 15

Expert Comment

ID: 38744141
Network discovery is if they are using Windows 7 (Control Panel and Advanced Network Options).

You nned to give them zero permissions basically. However, if they will still be logging into the Domain then they will need to be members of Domain Users etc, and this is where you may run into difficulty.

Basically if you dont want them to have any access to Domain info then you really have to take them off the domain. Otherwise you will have to start with zero permissions and begin adding them 1 at a time to allow the user to log in and get on the internet but nothing else.

Author Comment

ID: 38744167
so are you saying i need to take his computer off the domain or remove him from A.D.? or am i totally lost.

Accepted Solution

tsaico earned 250 total points
ID: 38744240
He is saying to take the computer account from the domain.  To some extent, it will be impossible to remove the computer if they are in the the same network as the server.  Even if you have the computer on a workgroup, you will have to setup something for him to print on eventually, and if you are running SBS, then he needs some resources for things like DNS, DHCP, etc.   Not to mention if he just types in the server name, like \\servername, then he will just be presented with credentials, and when he puts in his email one, it is one and the same, he gets in.

If you are just trying to protect the shares, then you can create a Deny group in AD, then add this Deny group to the shares/resources you want him out of.  Then add the user in this Deny group in AD.  Deny rights always take precedence to any allow.  If you put the computer name in it, then anyone who logs into the computer will not be able to get to the resources from that computer, if you put in the user name into the AD group, then that user cannot get in, regardless of where he logs in.  Plus if he changes, you can just remove him from the AD group and he will then have the same rights as the others on the network.

Keep in mind though, deny rights can play havoc if you are not careful.  that is why I suggest a AD group for deny, then add your users, so you can easily add them and remove them from the group.  Do not granularly add them, otherwise you will forget where the deny is.  This won't prevent your user from at least seeing resources, but it will keep him from printing, accessing shares, etc.

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Outlook 2016 hangs on the Launch Screen 3 45
Mac Online Backups 7 49
EXCH2013 and DAG settings 9 33
ost file to pst 10 59
Outlook Free & Paid Tools
If you don't know how to downgrade, my instructions below should be helpful.
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now