Archived from groups: microsoft.public.win2000.group_policy (More info?)
Hello,
Yesterday the pointy hairs asked me to setup an email account for an
external reseller. We have exchange 2003 so the email and user
accounts are of course the same thing. As far as I am aware there is
no quick and funky method to create a user that can only access his
email and not logon to workstations. The user in question is in a
child domain. I wanted to stop the user logging on interactively
anywhere (except for OWA). So, in the Child Domain Default policy I
added the user to the "deny local logon", "deny logon as a service"
and "deny logon as a batch job". I thought that would be a catchall
for wherever the user tried to logon, however it looks like I am wrong
*grumble*
The child domain in question is in a foreign country. I am physically
seated amongst the parent domain machines. I left the policy to
propogate for a few hours, and then tried to logon locally on one of
our local parent domain machines, and it let me log straight on *more
grumbelling*. I am aware that GPO's do not cross domain boundaries,
i.e. Policys set on the parent domain are not inherited by child
domains, but I presumed that when I logged on as the child domain
user, the child domain policy would be applied to that user where ever
he logged on in the forest. It looks like I am incorrect in that
presumption, can anyone confirm that?
That being the case the only way I can envisage locking this user down
then is to add him to the default GP for all the child domains and the
parent.... Can anyone think of a better way? Or for that matter does
anyone have a good guide on what to do when you only want to give a
user access to the Exchange email facilities?
TIA.
--
Alex Griffin
Hello,
Yesterday the pointy hairs asked me to setup an email account for an
external reseller. We have exchange 2003 so the email and user
accounts are of course the same thing. As far as I am aware there is
no quick and funky method to create a user that can only access his
email and not logon to workstations. The user in question is in a
child domain. I wanted to stop the user logging on interactively
anywhere (except for OWA). So, in the Child Domain Default policy I
added the user to the "deny local logon", "deny logon as a service"
and "deny logon as a batch job". I thought that would be a catchall
for wherever the user tried to logon, however it looks like I am wrong
*grumble*
The child domain in question is in a foreign country. I am physically
seated amongst the parent domain machines. I left the policy to
propogate for a few hours, and then tried to logon locally on one of
our local parent domain machines, and it let me log straight on *more
grumbelling*. I am aware that GPO's do not cross domain boundaries,
i.e. Policys set on the parent domain are not inherited by child
domains, but I presumed that when I logged on as the child domain
user, the child domain policy would be applied to that user where ever
he logged on in the forest. It looks like I am incorrect in that
presumption, can anyone confirm that?
That being the case the only way I can envisage locking this user down
then is to add him to the default GP for all the child domains and the
parent.... Can anyone think of a better way? Or for that matter does
anyone have a good guide on what to do when you only want to give a
user access to the Exchange email facilities?
TIA.
--
Alex Griffin
hqva1dnafvf9qptttjg9h2d7pvpk5cuua@4ax.com...
Facebook
Twitter
Instagram