I am attempting to create an account for an external contractor so that they can have an @domain.com
email address and access that from OWA, but not log into any server or PC on the domain.
I've tried setting the Log On To...
property to a non-existent PC, and this works in that they can't log into any PCs or servers, but they also can't log into OWA. I'm reluctant to grant them login access to the mail server, as I really want to deny them login access to any PC or server.
I'd also rather not need to use group policy to complete this, as I'd like it to only apply to this one user, and be easy to undo when/if they leave.
Thanks!
You should be using a Security Group to arbitrate this access, even if the group only ends up with having this one contractor as a member. When you need to redo this in the future for a new contractor you'll be happy you use a group.
Here's what I'd do:
This would be easy to remove if you ever need to, and easy to apply to other users (by way of grouo membership) in the future.