An existing user in a Windows domain was moving companies (to a parent company) that is not part of the infrastructure. After the employee left his account was to be terminated but still be able to access email only, so no login/remote access to systems, computers on the network.
By disabling the account, this would prevent authentication for Exchange needs so I couldn’t do that.
Create a Security Group
I created a new Security Group, Email Only.
I added this specific user to the newly created Security Group.
Create a Group Policy
Next, I created a new Group Policy for the domain and applied it to the Computers OU.
Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Log on Locally
I modified Deny Log on Locally policy and added my newly created Security Group, Email Only.
To test functionality, I logged on as an administrator to a PC in the domain and ran
gpupdate /force. This updates the group policy on that computer. Then I logged off and tried logging back on as the user that I added to the Security Distribution Group. Login failed, so this worked.
Next, I tested OWA, Outlook Anywhere, and Outlook. I was able to successfully authenticate and send/receive email without an issue.
Now this user has access to OWA and Outlook Anywhere or Outlook without the ability to log on locally to a computer in the domain.
Working on some thinstations with XP/IE8 today and needed to implement removal of Address/NavBar and could not find it in the GPO. Came across someone who created the magic and I will share this information.
NOTE: There is an extra line feed at the bottom; make sure you include this in your file. =)
Create a new file in notepad and save the following as
DisableIENav.adm, for example…
class user category IESettings policy "disable/hide IE command bar" keyname "softwarepoliciesmicrosoftinternet explorertoolbarsrestrictions" explain "here is the explaination" valuename "NoCommandBar" valueon numeric 1 valueoff numeric 0 end policy policy "disable/hide IE nav bar" keyname "SoftwarePoliciesMicrosoftInternet ExplorerToolbarsRestrictions" explain "here is the explaination" valuename "NoNavBar" valueon numeric 1 valueoff numeric 0 end policy end category