A customer of ours wanted to provide a person of theirs (a subcontractor, i'd assume) with an email box, but no logon rights to any computers on their network. After putting on my thinking hat, this is what came out.
- Create a Security Group named "Email Only Users Group". If you're on Small Business Server, use the SBS Console (which does a bunch of other magic behind the scenes); if you're on Windows Server Proper, use Active Directory Users and Groups.
- If you're on Small Business Server, create a User Role from the SBS Console. Call it "Email Only User Role". Make sure that the only Security group assigned to this User Role is "Email Only Users Group".
- In Group Policy Manager, create a new GPO Object. If you're on SBS, put it in <domain>/MyBusiness/Users/SBSUsers. If you're on Windows Server Proper, put it where-ever you want your Email Only Users to be. Call it "Email Only Users Policy"
- Edit the Policy thusly
- From the Scope tab's Security Filtering, remove whatever groups there are there and add Email Only Users Group
- Edit the policy itself (right-click the policy name and choose Edit...) and enable Computer Configuration > Policies > Windows Settings > Local Policies > User Rights Assignment > Deny log on locally. To avoid typos, use the Browse button in the dialog box to add the security group <domain>Email Only Users Group into the list of groups this policy applies to. This may be an extra step, but i don't want to end up locking out everybody by mistake.
- Create a new user. If you're on SBS, give this user the role Email Only Users Role. Otherwise, just create the user (i tend to create users on an Exchage server since i then get users created along with their mailboxes) and change the group memberships to that the new user gets (only) the Email Only Users Group. If you have Distribution Groups, you can add those to the user too.
And that's about the size of it. Normal warnings and disclaimers apply :)