2

I am attempting to create an account for an external contractor so that they can have an @domain.com email address and access that from OWA, but not log into any server or PC on the domain.

I've tried setting the Log On To... property to a non-existent PC, and this works in that they can't log into any PCs or servers, but they also can't log into OWA. I'm reluctant to grant them login access to the mail server, as I really want to deny them login access to any PC or server.

I'd also rather not need to use group policy to complete this, as I'd like it to only apply to this one user, and be easy to undo when/if they leave.

Thanks!

NaOH
  • 411
  • 2
  • 10
  • 19

1 Answers1

4

You should be using a Security Group to arbitrate this access, even if the group only ends up with having this one contractor as a member. When you need to redo this in the future for a new contractor you'll be happy you use a group.

Here's what I'd do:

  • Create a group "Users Denied Interactive Logon", and make the contractor a member.
  • Create a Group Policy Object (GPO) linked at the root of the domain called "Deny Interactive Logon"
  • In the "User Rights Assignment" subnode of the "Local Policies" subnode of the "Security Settings" subnode of the "Windows Settings" subnode of the "Computer Configuration" node I would add "Deny log on locally" permission for "Users Denied Interactive Logon" group.

This would be easy to remove if you ever need to, and easy to apply to other users (by way of grouo membership) in the future.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328