Given the complexities you mention, your best option is probably to set a
group policy that allows that account to log on only to the Exchange
Server/DC (ouch). There are group policy user rights assignment settings
such as "Allow log on locally", "Deny log on locally", "Log on as a
service", "Deny ...
group policy that allows that account to log on only to the Exchange
Server/DC (ouch). There are group policy user rights assignment settings
such as "Allow log on locally", "Deny log on locally", "Log on as a
service", "Deny ...
[ more ]