Windows 2008 sp2 using Exchange 2007 sp2. Would like to only have the user access the exchange mail via the web but not be able to log on to a domain connected pc. Is there something I missed? I can't seem to make this work - maybe it's not possible? Thanks in advance. Note - user(s) are internal to network. Just want them to use owa, but not log onto a pc/laptop tied to the network/domain.

Hi Franky, One way to do it would be: - Create a security group called "OWA Users", or whatever you like for this purpose. - Edit the users that require OWA only, and remove all other groups, and then add the new OWA Users security group. - In Group Policy, create a new group policy, and apply it to OU containing all of your computers. - For the Group Policy, edit Computer Configuration\Policies\Windows Settings\User Rights Assisgnment\Deny log on locally - Define the policy, and add the "OWA Users" security group only. Once that is done, the effect won't take place immediately until either a gpupdate is done on the PC, or the PC has been restarted. Basically, in order for a user to log onto OWA, it still needs to authenticate with AD in order for a user to log on, so the AD account needs to be enabled.

This is one of those situations that Microsoft did not really build in a simple solution. By default, all authenticated users can log on to any workstation in your domain. There may be a better solution than this (but it is not coming to me right now). In Active Directory create a security group of users that should be "web mail only" users. Then, create a Group Policy Object that applies to your workstations (or edit an existing one.) Edit the policy to Deny Logon Locally and ensure that the Web Mail Only group is in that policy. I'm thinking this will achieve what you want to do, but it is going to require some AD and GPO assistance. Jim McBee - Blog - http://mostlyexchange.blogspot.com