none
Fully lockdown a mailbox and his/her account RRS feed

  • Question

  • My boss asked me this evening whether we could fully lock down a user's account and mailbox so they could only have read access (no ability to even send mail) to Outlook Web App and not log into any computer with the user account?  Our AD is 2008 and Exchange 2010.  

    Now I know I can disable all Mailbox Features and only allow the user access to Outlook Web App.  I know I can then set the sending message size restriction to 0KB which will not allow that user to send a single email b/c the default size of an email with just an email address is greater than 1KB.  All I would need to do is prevent NDR messages from being provided to that user saying the attempt to send failed.

    In order to deny the account the ability to login to a computer I assume I would have to deploy a GPO for this account to deny logon locally.  Is that correct?  Would I have to add to the GPO to ensure the account cannot access any file shares or any data?

    Thanks in advance

    Jim

    Wednesday, August 10, 2011 2:25 AM

Answers

  • H Jim,

    YOu can also create one transport rule to drop silently all send messages for all outbound mal fo this users, THen only he can read his emails thru OWA.


    Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com
    • Marked as answer by JimGSox Wednesday, August 10, 2011 1:40 PM
    Wednesday, August 10, 2011 2:54 AM

All replies

  • H Jim,

    YOu can also create one transport rule to drop silently all send messages for all outbound mal fo this users, THen only he can read his emails thru OWA.


    Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com
    • Marked as answer by JimGSox Wednesday, August 10, 2011 1:40 PM
    Wednesday, August 10, 2011 2:54 AM
  • Anil:

     

    Thank you for the reply, I have just confirmed that in the transport rules.  That will definitely be the best option.  

    Can you or anyone else provide confirmation regarding the AD account lockdown I suggested in my original question?

    I was thinking in addition to the deny logon locally I could also create a dummy security group that by default will have zero rights to access anything and add the account to that group.  I can then set that group as primary thus allowing me to remove the default Domain Users group.  That would ensure no file/directory access to anything on the network.

    Jim

    Wednesday, August 10, 2011 3:19 AM