Hello,I am currently rolling out an Exchange 2007 server as a replacement for Merak IceWarp. I am not very experienced in this particular area and I am looking to see if there are any holes or flaws in the design and layout of my user configuration and domain security. Here is our situation...In essence, we have 2 classes of users; Internal and External. Internal Users are users who work out of our office and who have full domain user accounts and standard domain access. (~20 users)External Users are for the lack of a better description contract/field employees that have NO domain access but require mailboxes and webmail (OWA). (~750 users)Initially, I planned to use disabled users accounts in AD and Room Mailboxes associated with those accounts however disabled users cannot log into OWA so I devised this strategy. I have my users segregated into 2 main OU's , Internal and External. Any user in the External OU is also in an External Security group as well. This is handled by a Powershell script so that the two stay in synch at all times. On the domain policy level I have added the following... Policy Setting Deny access to this computer from the network Domain\Domain External Users Deny log on as a batch job Domain\Domain External Users Deny log on as a service Domain\Domain External Users Deny log on locally Domain\Domain External Users Deny log on through Terminal Services Domain\Domain External UsersThis allows these users access to OWA but no access to any other network resources. Are there any further steps I should take to secure my domain? Does anyone have any further advice?ThanksJeff Waskiewicz

As a followup...I found out today that after applying those policies I cannot log into OWA with any of those accounts. I get a security failure in the audit log.. Logon Type: 8Account For Which Logon Failed:Security ID: NULL SIDAccount Name: userAccount Domain: XXXXX Failure Information:Failure Reason: The user has not been granted the requested logon type at this machine.Status: 0xc000015bSub Status: 0x0...based on what I have found so far, OWA will not work with these to permissions the Exchange Server and Domain Controllers.Deny access to this computer from the networkDeny log on locallyIf I override these everything seems to work OK but that seems to be rather a lot of permisions for OWA to work. Does any one have any advice on this? I have also recently Denyed Remote Access on these accounts as well.

Hi,Logon type 8 is logon over the network in clear text. This is probably because your using basic authentication on the OWA site for your external users - you probably want to enable SSL on the OWA site if you haven't already.Logon type 8 is directly related to logon type 3 which is logon over the network, this includes access to shared folders and printers and most IIS based logons.So the setting "deny access to this computer from the network" on the OWA server will most likely be stopping those users logging on.You should be able to keep them settings enabled on the domain policy and just overide them on the OWA server.Hope this helps,Chris

Hi,Based on the current situation, I suggest you remove the policy "Deny access to this computer from the network".You can restrict all your external user to log on only on Exchange Server remotely. Please refer to the steps below.1. Open Active Directory Users and Computers, select and right-click all external user, choose Properties. 2. Switch to Account tab, click Computer restrictions, click Log On To button, please add the exchange server.Thanks.

Thanks Mervyn, that was exactly what I was looking for and I had totally forgot it was there butI think I'm alreadyall set with the overides on the DC for Deny Network Access and the overide on the Exchange Server for Deny Network and Logon. Thanks Chris, OWA automatically uses HTTPS so I'm all set there as for sending passwords in plaintext. I also set the accounts to be Denyed Remote Access via VPN or Dialin. I think this should basically give me the desired effect of locking them out of everything but OWA. If there is anything else I should add to tighten up further I'm open to suggestions. Thanks,Jeff