1

We need to create a user in Active Directory 2008 R2 that will be able to send receive emails (Exchange 2010). This user should not be able to login to any other server or PC in the domain. We can block him via Log On To... option in Active Directory, and limit him to only access mail server, but does it than mean that he can come to mail server and login in to it via keyboard and mouse?

Is there another way?

I don't know.
  • 285
  • 3
  • 6
  • 17

2 Answers2

1

The way to know for sure that he cannot interactively logon to your mail server is to

  1. Have physical security of the server as Greg stated.
  2. Block Remote Desktop Access for regular users.
  3. Make sure he is not inside any group that can log onto servers or computers, or
  4. Make sure he is in a group that is restricted to not be able to log on to any machines.

For example, in a previous environment I was in, we had a group in AD where we put accounts we didn't want to login to computers, and in our default domain policy we set it so that these accounts cannot login to workstations. They have email access, but cannot logon to computers.

enter image description here

If we had machines they needed to login to, those machines got put in a special OU with inheritance blocked and their own policy created.

jscott
  • 24,484
  • 8
  • 79
  • 100
MDMoore313
  • 5,581
  • 6
  • 36
  • 75
0

There's another way. You can simply user group policy to restrict who can logon to the server.

user170563
  • 56
  • 1