i’m tryin to find the best solution to a security concern.. i’ll explain
Our active directory domain has a group of users who only need access from the internet to one or more applications (tipically exchange mailbox and/or sharepoint) and will never connect to local network, authenticate on a domain computer, or access a file share.
They will only need to login to the applications, but since those apps need domain users i have these accounts in AD and i want to limit them, based on the least privilege principle.
The external users are the ones i have less control on, and i want their accounts to be completely useless if stolen, for anything else than logging onto those apps
I have considered using the “Log On to” feature in the account configuration, pointing to a single, disconnected computer, but it does not convince me
Do you have any suggestions? i think i’m not the first to have this concern, but i could not find any real answer on the forums