Restrict Access to Only Email/OWA Access

This article was posted more than 1 year ago. Please keep in mind that the information on this page may be outdated, insecure, or just plain wrong today.

An existing user in a Windows domain was moving companies (to a parent company) that is not part of the infrastructure.  After the employee left his account was to be terminated but still be able to access email only, so no login/remote access to systems, computers on the network.
By disabling the account, this would prevent authentication for Exchange needs so I couldn’t do that.

Create a Security Group

I created a new Security Group, Email Only.
2014-08-06_092620
I added this specific user to the newly created Security Group.
2014-08-06_092640

Create a Group Policy

Next, I created a new Group Policy for the domain and applied it to the Computers OU.
Group Policy:  Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Log on Locally
2014-08-06_092519
I modified Deny Log on Locally policy and added my newly created Security Group, Email Only.
2014-08-06_092818

Testing

To test functionality, I logged on as an administrator to a PC in the domain and ran gpupdate /force.  This updates the group policy on that computer.  Then I logged off and tried logging back on as the user that I added to the Security Distribution Group.  Login failed, so this worked.
Next, I tested OWA, Outlook Anywhere, and Outlook.  I was able to successfully authenticate and send/receive email without an issue.
Now this user has access to OWA and Outlook Anywhere or Outlook without the ability to log on locally to a computer in the domain.