Restrict user interactive access across forest.

[Alex Griffin]

Hello,

Yesterday the pointy hairs asked me to setup an email account for an
external reseller. We have exchange 2003 so the email and user
accounts are of course the same thing. As far as I am aware there is
no quick and funky method to create a user that can only access his
email and not logon to workstations. The user in question is in a
child domain. I wanted to stop the user logging on interactively
anywhere (except for OWA). So, in the Child Domain Default policy I
added the user to the "deny local logon", "deny logon as a service"
and "deny logon as a batch job". I thought that would be a catchall
for wherever the user tried to logon, however it looks like I am wrong
*grumble*

The child domain in question is in a foreign country. I am physically
seated amongst the parent domain machines. I left the policy to
propogate for a few hours, and then tried to logon locally on one of
our local parent domain machines, and it let me log straight on *more
grumbelling*. I am aware that GPO's do not cross domain boundaries,
i.e. Policys set on the parent domain are not inherited by child
domains, but I presumed that when I logged on as the child domain
user, the child domain policy would be applied to that user where ever
he logged on in the forest. It looks like I am incorrect in that
presumption, can anyone confirm that?

That being the case the only way I can envisage locking this user down
then is to add him to the default GP for all the child domains and the
parent.... Can anyone think of a better way? Or for that matter does
anyone have a good guide on what to do when you only want to give a
user access to the Exchange email facilities?

TIA.

 

[Ken B]

Why not configure on his user account, under the Account tab, "Log On To..."
and put one workstation in there (put your's... you know he'll never log
onto it)

I don't think that'll keep him from getting into OWA

Just an idea

Ken

 

[Alex Griffin]

Why not configure on his user account, under the Account tab, "Log On To..."
and put one workstation in there (put your's... you know he'll never log
onto it)

I don't think that'll keep him from getting into OWA

Just an idea

Hi Ken,

I did that before going down the GPO route. I just put in a BS name,
and felt very clever with myself, and indeed the user could not logon.
However, unfortunately that included the OWA login. Maybe I should go
back that way though and just add in the exch servers and the relevant
DCs which he should not be able to login to interactively anyway, but
which of course he needs to "logon" to in order for authentication.

 

[Ken B]

That was going to be my next suggestion, if a garbage workstation name
didn't work.

Not /as/ secure, but it's a solution nonetheless

Ken

 

[Alex Griffin]

That was going to be my next suggestion, if a garbage workstation name
didn't work.

Not /as/ secure, but it's a solution nonetheless

Unfortunately no dice here either. That interface only accepts netbios
names, and it seems either it cannot resolve them, or its failing for
some other reason. You cannot put in the full dns name, and the exch
server is unfortunately sited in the forest root domain, rather than
the child domain. I did try adding the netbios names anyway of the
exchange server, the 2 child dcs and the 2 forest root dcs, also tried
their IP addresses, but unfortunately had no luck.

 

[Alex Griffin]

You cannot put in the full dns name

Interestingly, the dialog for that option does say that netbios or a
valid dns name are the sort of entries you should put in there, but
the input area only allows 15 characters......*curses netbios*