If you ever wonder what the best way to create a user is, but only enable his mailbox without letting him login to domain ,the best way is to prevent the "logon localy" permission with GPO.