An existing user in a Windows domain was moving companies (to a parent company) that is not part of the infrastructure. After the employee left his account was to be terminated but still be able to access email only, so no login/remote access to systems, computers on the network.
By disabling the account, this would prevent authentication for Exchange needs so I couldn’t do that.
Create a Security Group
I created a new Security Group, Email Only.
I added this specific user to the newly created Security Group.
Create a Group Policy
Next, I created a new Group Policy for the domain and applied it to the Computers OU.
Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Log on Locally
I modified Deny Log on Locally policy and added my newly created Security Group, Email Only.
Testing
To test functionality, I logged on as an administrator to a PC in the domain and ran gpupdate /force
. This updates the group policy on that computer. Then I logged off and tried logging back on as the user that I added to the Security Distribution Group. Login failed, so this worked.
Next, I tested OWA, Outlook Anywhere, and Outlook. I was able to successfully authenticate and send/receive email without an issue.
Now this user has access to OWA and Outlook Anywhere or Outlook without the ability to log on locally to a computer in the domain.