Create OWA only user with no access to workstations

Create user as per usual, then:

1. Create new security group

2. Add user to security group

3. Group Policy Management: Create new Group Policy Object linked at root of domain

4. Right Click and choose edit.
Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment

5. Double-click “Deny log on locally”

6. Click “Add User or Group” and add the group you created in step 1. Apply.

7. Wait for Group Policy synchronisation or gpupdate /force on computers.

Source: ServerFault