For the OP, I like this idea better than my GPO suggestion, especially if it's a one-off request.
> Properties on AD account, Account tab, "Log On To..." and enter a bogus > hostname. Voila, can't logon to any workstation but can still validate > against AD. Unless I'm missing something... > >> Date: Wed, 18 Jun 2014 09:09:43 -0700 >> Subject: RE: [NTSysADM] email access only - urgent >> From: [email protected] >> To: [email protected] >> >> Check out the GPO options :-) >> >> There's another one for "Deny Log on through Remote Desktop Services", >> and >> if you're really paranoid, you can also configure all the "DENY" >> assignments... >> >> GPO location: Computer Configuration/Windows Settings/Security >> Settings/Local Policies/User Rights Assignment >> >> I use that areas when configuring service accounts, I set those up with >> similar restrictions as you're looking for. >> >> Dave >> >> > and this will prevent local desktop access, and rdp etc..? >> > >> > >> > >> > Jean-Paul Natola >> > >> > >> > >> > >> >> Date: Wed, 18 Jun 2014 08:47:13 -0700 >> >> Subject: Re: [NTSysADM] email access only - urgent >> >> From: [email protected] >> >> To: [email protected] >> >> >> >> Easy - GPO to disallow interactive logon, point the GPO to just that >> >> user. >> >> >> >> Dave >> >> >> >> > Hi all >> >> > >> >> > Got a strange request , a user will be leaving the company and they >> >> want >> >> > him to ONLY have access to his exchange account, so no RDP, TS, >> >> desktop >> >> > logons etc.. >> >> > >> >> > >> >> > If this is possible, what is the EASIEST way to go about it? >> >> > >> >> > >> >> > >> >> > >> >> > >> >> >> >> >> >> >> >> >> > >> > >> >> >> >> > >
