Restrict Access to Only Email/OWA Access

An existing user in a Windows domain was moving companies (to a parent company) that is not part of the infrastructure.  After the employee left his account was to be terminated but still be able to access email only, so no login/remote access to systems, computers on the network.

By disabling the account, this would prevent authentication for Exchange needs so I couldn’t do that.

Create a Security Group

I created a new Security Group, Email Only.


I added this specific user to the newly created Security Group.


Create a Group Policy

Next, I created a new Group Policy for the domain and applied it to the Computers OU.

Group Policy:  Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Log on Locally


I modified Deny Log on Locally policy and added my newly created Security Group, Email Only.



To test functionality, I logged on as an administrator to a PC in the domain and ran gpupdate /force.  This updates the group policy on that computer.  Then I logged off and tried logging back on as the user that I added to the Security Distribution Group.  Login failed, so this worked.

Next, I tested OWA, Outlook Anywhere, and Outlook.  I was able to successfully authenticate and send/receive email without an issue.

Now this user has access to OWA and Outlook Anywhere or Outlook without the ability to log on locally to a computer in the domain.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.