Posted on 2013-01-04
Last Modified: 2013-01-04
I am trying to set up an account that only has access to email. We do not want them to have access to anything else on our server. I am not sure how to do it.
Thank you
Question by:moses417
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 15

Expert Comment

ID: 38744046
Do not connect to domain, leave on workgroup.

Give them access to OWA via web

Author Comment

ID: 38744053
ok, what do i do if they have already been connected to the domain and i do not have access to their computer?
LVL 15

Expert Comment

ID: 38744073
You need to take them off the domain.

Otherwise, if you have access to the server you can change their user account rights.

ie take them out of all groups and just add mail rights.

If on domain they will still be able to browse though. Need to take off domain, turn off network discovery etc. Reduce user rights and give access to OWA via Internet.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 38744102
I am sorry for all the probably basic questions but I am still learning. how do i turn off network discovery etc for the user? is it in Active Directory or somewhere else? I have removed all of the rights other then the default group permissions. should I create a new group that has no permissions? then assign that to them?
LVL 15

Expert Comment

ID: 38744141
Network discovery is if they are using Windows 7 (Control Panel and Advanced Network Options).

You nned to give them zero permissions basically. However, if they will still be logging into the Domain then they will need to be members of Domain Users etc, and this is where you may run into difficulty.

Basically if you dont want them to have any access to Domain info then you really have to take them off the domain. Otherwise you will have to start with zero permissions and begin adding them 1 at a time to allow the user to log in and get on the internet but nothing else.

Author Comment

ID: 38744167
so are you saying i need to take his computer off the domain or remove him from A.D.? or am i totally lost.

Accepted Solution

tsaico earned 250 total points
ID: 38744240
He is saying to take the computer account from the domain.  To some extent, it will be impossible to remove the computer if they are in the the same network as the server.  Even if you have the computer on a workgroup, you will have to setup something for him to print on eventually, and if you are running SBS, then he needs some resources for things like DNS, DHCP, etc.   Not to mention if he just types in the server name, like \\servername, then he will just be presented with credentials, and when he puts in his email one, it is one and the same, he gets in.

If you are just trying to protect the shares, then you can create a Deny group in AD, then add this Deny group to the shares/resources you want him out of.  Then add the user in this Deny group in AD.  Deny rights always take precedence to any allow.  If you put the computer name in it, then anyone who logs into the computer will not be able to get to the resources from that computer, if you put in the user name into the AD group, then that user cannot get in, regardless of where he logs in.  Plus if he changes, you can just remove him from the AD group and he will then have the same rights as the others on the network.

Keep in mind though, deny rights can play havoc if you are not careful.  that is why I suggest a AD group for deny, then add your users, so you can easily add them and remove them from the group.  Do not granularly add them, otherwise you will forget where the deny is.  This won't prevent your user from at least seeing resources, but it will keep him from printing, accessing shares, etc.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You need to know the location of the Office templates folder, so that when you create new templates, they are saved to that location, and thus are available for selection when creating new documents.  The steps to find the Templates folder path are …
Changing a few Outlook Options can help keep you organized!
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question