I want to create a number of "email only" users in AD. these users should not be able to log on via local or remote login, and have no network access via shares.

The problem I am encountering is that as soon as I start restricting login access this also impedes the user's ability to log on to the Zimbra environment (authentication fails if u deny local login via GPO or disable the account in AD)

An alternative would be to just keep these accounts out of AD, and use "local authentication fallback" but i'd rather be able to manage everything from AD, and not abuse a few locally created unix accounts for this.

Any ideas ?