Announcement

Collapse
No announcement yet.

Provide email, but no other network access or login

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Provide email, but no other network access or login

    Hi all,

    I work for a town and was asked to provide town domain email addresses to certain committee members who are NOT town employees.

    I did so, that's easy enough (Exchange 2003 & Server 2003 Active Directory).

    But it dawns on me that by creating these users, this would allow them to theoretically login to the domain itself should they walk in and plug in. Is there a way to permit ONLY email access through OWA (what they are doing now) and deny all other login methods?

    Thanks!

  • #2
    Re: Provide email, but no other network access or login

    Group Policy Deny Logon Locally and Remotely
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Provide email, but no other network access or login

      OK, great!

      Well, please help me make sure I do this right (been a looooong time since I worked with GPs, and that was in versions not this early).

      The users in question are in an OU. I right-clicked that OU and went to Properties. There is a Group Policy tab, and I went there. I clicked New, created the policy name, then clicked Edit. That opened up the editor. I then went to:

      Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment

      In there is "Deny log on locally". I see nothing about "Remotely".

      I can add users or groups (after checking "Define these policy settings", but not this OU. Should I just add the users individually? Am I even in the right place?

      Help! Thanks!
      Last edited by WorldBuilder; 23rd May 2012, 20:51. Reason: Formatting

      Comment


      • #4
        Re: Provide email, but no other network access or login

        You are correct-- I'm sure there is a "deny remote" setting somewhere
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Provide email, but no other network access or login

          Cool. So just add the users one at a time? Not a problem since there's only a few, but I wonder... Why can't I add the OU?
          Last edited by WorldBuilder; 24th May 2012, 02:05.

          Comment


          • #6
            Re: Provide email, but no other network access or login

            Originally posted by WorldBuilder View Post
            Cool. So just add the users one at a time? Not a problem since there's only a few, but I wonder... Why can't I add the OU?
            Why not just create a group and add the group. Much easier to manage.

            You can't use an OU because its just really a container that helps you organise your AD structure rather than a security principal like a user or a group.

            Comment


            • #7
              Re: Provide email, but no other network access or login

              Thanks, guys. And hey, just one other question. What is the "deny remote" setting anyway? Not that I've found it... But how does one login to a domain remotely anyway??

              Comment


              • #8
                Re: Provide email, but no other network access or login

                Uh Oh...

                So I did as outlined above and no dice after adding the users to the "Deny logon locally". I was able to login to the domain as one of the users on a test desktop in my office.

                Comment


                • #9
                  Re: Provide email, but no other network access or login

                  Just a thought....
                  It is a computer policy setting, so applying it to an OU with the users won't work (sorry - -I wasnt thinking when I originally posted)

                  How about putting the users in a group and denying logon locally to that group in some policy that applies to all workstations
                  Tom Jones
                  MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                  PhD, MSc, FIAP, MIITT
                  IT Trainer / Consultant
                  Ossian Ltd
                  Scotland

                  ** Remember to give credit where credit is due and leave reputation points where appropriate **

                  Comment


                  • #10
                    Re: Provide email, but no other network access or login

                    Originally posted by Ossian View Post
                    Just a thought....
                    It is a computer policy setting, so applying it to an OU with the users won't work (sorry - -I wasnt thinking when I originally posted)

                    How about putting the users in a group and denying logon locally to that group in some policy that applies to all workstations
                    NP, Ossian! I assume that would work. So then, if you could help out... What kind of group should the users be placed in (does it matter) and how would I apply the policy to all workstations?

                    Perhaps some holding of my hand is in order. LOL

                    Comment


                    • #11
                      Re: Provide email, but no other network access or login

                      Security group and apply policy at domain level
                      Tom Jones
                      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                      PhD, MSc, FIAP, MIITT
                      IT Trainer / Consultant
                      Ossian Ltd
                      Scotland

                      ** Remember to give credit where credit is due and leave reputation points where appropriate **

                      Comment


                      • #12
                        Re: Provide email, but no other network access or login

                        Originally posted by Ossian View Post
                        Security group
                        Done.
                        Originally posted by Ossian View Post
                        and apply policy at domain level
                        How, I guess is what I am asking.

                        I created the group and put them in the OU. On the DC, I opened GP mgmt, created a deny logon policy as described above (Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment), added the group and linked it to the OU. Even ran gpupdate /force on the DC and rebooted my test client. I can still logon as these users. Argh!
                        Last edited by WorldBuilder; 24th May 2012, 20:03.

                        Comment

                        Working...
                        X