Hidding Global Address Lists (GAL) with Exchange 2007
Hidding Global Address Lists (GAL) with Exchange 2007 –
Quite often organizations perform acquisitions, spin off sections of a company or just use Exchange to provide web hosting. One question that comes up often, is how do I segment my address list so that users only see a particular Global Address List.
The answer to this question has 2 parts:
1. If users are only using OWA to access Exchange we must modify an attribute on each user account to restrict the GAL that is seen.
When a user logs onto their mailbox via OWA the Exchange server is performing the lookup on their behalf so applying an ACL would not work for OWA and is the reason we must modify msExchQueryBaseDN attribute on their obect.
Note: this comes with a consequence, users will not be able to see address lists that have been created.
2. When users utilize Outlook to access their mail, lookups are done with the user context and ACL’s need to be used to deny user’s access to particular Global Address Lists.
Lets walk through configuring these steps:
Lets take a look a the current address list we have in Exchange
Lets create 2 new Global Address List
Exchange 2007 only allows the creation of Global Address List via EMS
The first GAL I created is called Hawaii is based on custom attribute 15 = HW
The first GAL I created is called Main_Land is based on custom attribute 15 = ML
Let verify our GAL’s have been created, we can do this with EMS via Get-GlobalAddressList commandlet or view the lists in EMC
I then set Custom Attribute 15 on my test users accounts, this can be done in bulk with EMS however since I am only demoing a few using I did this manually.
Now that we have created 2 new Global Address Lists and set Custom Attribute 15 on some users so they populate the new address list lets see what our users would see before we make any changes.
I am going to Logon with my Jodie.Bartos account into OWA which is appart of the Main_Land GAL
As you can see we can view all the address lists that have been created but our goal is to restrict this account to a particual address list, in order to do this we must set the msExchQueryBaseDN attribute on the user object.
open Adsiedit (the support tools need to be installed)
Expand the configuration container –> Services–> Microsoft Exchange –>Exchange Org–>Address List Container–>All Global Address Lists (select the address list in my case Main_land)–> Main_Land
Right click –> Properties on the GAL
Select the DN (this will give you the DN of the GAL)
Now that we have the DN of the Address list we can scope this down to this address list
Note: You can scope down to an OU or other item Refer to KB http://support.microsoft.com/kb/817218 But for this blog we are scoping to an address list.
To do this we need to again use Adsiedit to set an attribute on our user object or script this, for this blog I am going to use Adsiedit.
Open Adsiedit –> domain Container –> find your user–> properties
Input the DN of the address list into the MSExchQueryBaseDN for me this would be
CN=Main_Land,CN=All Global Address Lists,CN=Address Lists Container,CN=Exchange-Genie,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=VM,DC=Local
Now that we have set this attribute lets see the results when I logon to OWA with my user account.
We see now that we can only see the Main_Land GAL and no other address list.
Restricting Outlook
The above section only handles OWA address list views and will not affect an Outlook user, the following section will wall you through how to perform the 2nd step and restrict OL users to a particular GAL.
Restricting Outlook user to a particual GAL is done with ACL’s and we will use Adsiedit to apply the permissions.
Lets logon with my Jodie.Bartos account and see what we see in OL before we modify the permissions.
To make applying ACL’s easier I am going to create 2 Universal Security Groups and apply permission to these groups so that any new member can just be added to the group to restrict their address list.
I created a 2nd Group for the Hawaii address list as well
Open Adsiedit and apply deny read and deny open list to the GAL_Mainland group on our default Globla Address List
you will see a popup warning you about the deny –click Yes
This could take some time before the user change takes affect however to speed up my process I rebooted my server to clear the cache.
Now let open our Outlook with our Jodie account
You see that we now only see the Main Land GAL that was created.
We still have the ability to see other address lists that have been created but those can be denied in the same way the Global was denied.
since this account can still see the all users, let put a deny on that
We once again get our pop up warning about the deny
Now you can see we no longer have access to the all users list
New MS article walking through configuration!
http://technet.microsoft.com/en-us/exchange/bb936719.aspx
![[Google]]( http://www.exchange-genie.com/wp-content/plugins/easy-adsense-lite/google-light.gif)
October 28th, 2007 at 11:30 pm
Good start! Let’s have some more on assigning different GALs. What do I do if I simply want to assign GALs by prexisting criteria like Company? Will ADSIEdit be required, or is there another route for that?
October 29th, 2007 at 1:13 pm
I want to clarify your question just to make sure I understand. You do not need to apply restrictions if you want a user to be a member of an address lisr or GAL.
In my example I created a new GAL called Main_Land and used customeattribute15.
Exchange 2007 uses opathfiltering (http://msexchangeteam.com/archive/2007/03/12/436983.aspx) and address lists can be create with filters like Company,state,etc….
However to restrict address list you must use 1 of 2 methods mentioned in the article.
November 14th, 2007 at 11:52 am
is your guidance for exchange2003 too? i’m search a long time for this on exchange 2003.
regards
walter
November 14th, 2007 at 6:34 pm
Walter….
Yes this will work for Exchange 2003, if you look at the KB link I have in my article the opening pharagraph talks about for Exchange 2000 on….
Brian
November 15th, 2007 at 5:20 am
hi brian,
yes, works fine. only one part is missing, I think.
Outlook in cached mode works with offline adressbooks, the solution by the same way as your guiding, I Think.
regards
walter
November 15th, 2007 at 1:28 pm
Walter,
You are correct perms would have to be applied to the OAB as well to cover all angles.
Maybe I will add it to my article at the end.
Brian
January 15th, 2008 at 11:12 am
i tried this with Exchange 2007SP1 and when I logon with Outlook 2007 Client I get “the bookmark is not valid” when trying to view the GAL. Even though my security group has permission to its alternate GAL it tries to load the default and fails with that error. Any suggestions on what I’m doing wrong? Is there a way to specifically tell exchange/outlook to show xxx GAL for xxx user(s)?
January 25th, 2008 at 6:24 am
Brian
I have exactly the same issue as Mr. Anonymous with my Exchange 2007 SP1 environment. When using the outlook client (2007) and try to connect to the Address Book I also get a “The book mark is not valid”.
Any help would be appreciated!
Do anyone know if Microsoft release an article on how to do this with Exchange 2007
Regards,
Juan
January 25th, 2008 at 1:32 pm
post me your email address, I will not post it online but will send you an email about what you have done so far…..
Are you scoping to the address list or OU?
January 30th, 2008 at 3:28 am
Yes i have the same problem, im wanting to block our students from seeing the GAL, just the addresses we wish to show. All the students are setup in their OUs so hopefully that will make it that little bit easier, Can you advise?
February 1st, 2008 at 1:57 pm
Helo.
I solved the same problem by this post:
Use ADSIEdit.msc to add distinguished names of organization AL/GAL to showInAddressBook attribute of users, contacts, and distribution list in organization.
April 18th, 2008 at 1:52 pm
This is great. How would I modify these instructions to add an addtional GAL, in addtion to the default GAL? Thanks
May 6th, 2008 at 10:51 am
thanks for information
September 16th, 2008 at 11:09 pm
This is a great article and was immensely helpful to me. One quick question though. I created a security groups to manage the address list access and it works well for the GAL’s. However, all of our organization’s Address Lists still show up under “All Address Lists” even though I have denied “Read” and “Open Address List” rights. The user cannot open the address list and see the user’s within, but I would prefer they not see the list at all. Have any suggestions?
Thanks,
Zach
October 6th, 2008 at 1:13 pm
Thanks for this info you’ve provided. Not a diversion, but how do one set/modify custom attributes in bulk? I hava about 1500 students and certainly not looking forward to doing that manually..thanks in advance
October 6th, 2008 at 7:14 pm
You would have to write a script to do that and I do not have one handy to pass on.
Since you are a school have you thought about Exchange Labs at all for the students,
http://technet.microsoft.com/en-us/exchangelabshelp/bb847823.aspx
currently its free and allow you to host in the cloud or split between local and remote, may save you a lot of work and its a simple mailbox move to get the users to the cloud
October 27th, 2008 at 3:48 am
Hi Genie,
i’m very interested to your article “Hidding Global Address Lists (GAL) with Exchange 2007”, and I have tested on Virtual Machine with VmWare and it is working fine!
Perhaps when I see the Global Address List from Outlook panel I receive an alert message ‘the bookmark is not valid’.The same one as just been published on your dashboard by another user “i tried this with Exchange 2007SP1 and when I logon with Outlook 2007 Client I get “the bookmark is not valid” when trying to view the GAL. Even though my security group has permission to its alternate GAL it tries to load the default and fails with that error. Any suggestions on what I’m doing wrong? Is there a way to pecifically tell exchange/outlook to show xxx GAL for xxx user(s)?”
Could you please let me help to overcome this issue?
Best regards
October 30th, 2008 at 9:10 am
This is very helpful, but can anyone tell me how I can have a certain address book appear as the default for a certain set of users, rather than the Outlook default of ‘Global Address Book’. I don’t want to stop these users having the ability to pick the GAL or other address books from the drop down. I just want their address book to appear for them first. I know this can be done client side, but how about from server side?
October 30th, 2008 at 10:34 am
A user can have only 1 GAL.. you can create sub address lists within that gal and default to that view however 1 GAL is all they get.
October 31st, 2008 at 7:56 am
Everyone will be using the same Gal, but that will be split into different departments, what I want is for the specific departments to have their address list appear first rather than the default which is the top of the GAL. I know you can change address book views within Outlook, but how can I do this from the server side?
October 31st, 2008 at 8:15 am
easy enough, that is a client side setting… OL 2007 – tools – address book -Tools -Options
you will see show this address list first
then that is what users will see first
October 31st, 2008 at 12:58 pm
So it can only be done client side, no way of doing it via some sort of mailbox or ground policy?
October 31st, 2008 at 3:02 pm
I would have to check the gpo settings for OL to see but on the Exchange server side I don’t know of anyway for just change the view unless.
January 15th, 2009 at 4:56 am
I also get the error “The bookmark is not valid” on my clients. Could you post the reason and a solution for this ?
regards
Armin
March 3rd, 2009 at 5:06 am
I’m getting the bookmark is not valid as well. Is there a solution for the problem?
Thanks, Ruud
March 14th, 2009 at 8:43 am
Nice writeup, Very informative post. Keep the good work.
I have a special question: How can we hide from users ALL GALs? I want users to build their local Address Book themself(The same use as Hotmail & Gmail).
Thanks for you help.
March 19th, 2009 at 5:42 pm
That is an interesting requirement, I can curious to why you would not want a GAL and only user local contacts?
March 20th, 2009 at 4:37 am
OK, I have created a new GAL as u stated, and moved the students to their new gal. However, but teachers and students are getting the new Gal as default. Is there a way to change this so, that students get the new Students_gal, and teachers get the Defaul Gal when they launch OWA
March 22nd, 2009 at 11:41 am
It was a requirement from my Big Big Boss…
We are deploying the solution in a very secure environment, and we have to hide all contacts and GAL. So only authorised people can get the contact of other users..
I know, It’s a difficult concept, Hope you can help
May 15th, 2009 at 8:28 am
I work with Outlook 2003 as email client with cached mode enabled and after follow steps explained for restricting Outlook I can’t see any of the GAL that I created. In OWA is all OK.
I add the GALs created to the Offline Address Book via EMS with command:
Set-OfflineAddresBook -Addresslist {List of new GALs}
What I’m doing wrong?
May 27th, 2009 at 1:45 pm
This solution is incredible, thanks a lot!
But I have one problem: I only see users in my limited GAL… Is there a way to see distibuction lists (groups) too?
Please, somebody answer…
Thanks…
June 8th, 2009 at 1:44 am
hm.. thank you ))
June 15th, 2009 at 10:07 am
Hi everybody,
I had solve the problem with the distribuction lists using this command on creat the new GAL:
New-GlobalAddressList -ConditionalCustomAttribute15 Test -Name Test -IncludedRecipients AllRecipients
Now I’m using the value AllRecipients to the parameter -IncludedRecipients.
Whit this works fine…
Thanks
August 27th, 2009 at 5:32 pm
Did any one have any issues with being able to view a contact’s properties in OWA after implementing this solution?
For example, I have 2 segregated orgs … A-Team and B-Team. If someone in A-Team sends a message to another user in A-Team then viewing sender’s contact properties is no issue. However, if someone in A-Team sends a message to a user in the B-Team org, the B-Team user’s cannot view the sender’s contact properties of the A-Team user (in OWA). The message received when trying to view the properties is “Unable to retrieve properties”.
I have an third org that is not segregated and there appears to be no issues at all with viewing contact properties of either the A- or B-Team contact. This only appears to be with the segregated orgs.
Please advise on how I might resolve.
September 3rd, 2009 at 4:00 pm
ya know all you have to is make a new list in the gui of exchange, then edit the MSExchQueryBaseDNn for the user using the ADSIEdit tool to place the new DN in the MSExchQueryBaseDNn for the list you just created.
An example.
1) open exchange console.
2) Make new address list and ensure your filter settings are correct. In my case i used Custom Attribute 1 as my ‘filter’
3) Modify the user account (also using the exchange UI) to make the custom Attribute 1 the same as the setting you just set in the address list.
3) Using the ADSIEdit tool, find your the address list you just made in configuration –> services –> Microsoft Exchange –> Your exchagne org (usually the only option ) Address list Container –> All Address Lists. Right lick your list name and select properties.
4) find the filed titeled distinguishedName and copy the contents of the string.
5) find your users using the ADSIEdit tool (explained above).
6)Change the users MSExchQueryBaseDNn field with the content of step 3.
your done.
September 9th, 2009 at 1:15 am
I use adsiedit.msc edit \default global address list\ safe properties.
add a universal security group to default global address list. deny ‘read and open address list’ afterwards the default global address list is not find. the option hidding.
hope your can tell me some advice about how to find the option(default global address list\
Thank you very much!
I am looking forward to your response.
ELaine
September 10th, 2009 at 11:18 am
What a brilliant article.
Thanks so much for your help.
October 28th, 2009 at 12:35 pm
What a helpfull article !
Thanx a lot, good job
November 13th, 2009 at 6:03 pm
In Exchange 2003 do not add any GALs to the Offline Address Book configuration. If you do, the OAB will show EVERYONE.
If you want OAB to only display specific addresses, you have to base the OAB on an Address List. Not on any Global Address List.
This is documented in some MS KBs.
So basically you have to do double work:
1. create a custom GAL for Outlook Online mode
2. create a custom AL that has the same exact filter as the custom GAL.
3. Create an OAB based on the custom AL.
April 5th, 2010 at 7:09 am
[...] http://www.exchange-genie.com/2007/10/hidding-global-address-lists-gal-with-exchange-2007/ [...]
August 7th, 2010 at 10:29 am
Great post! Maybe you could do a follow up on this topic?
August 27th, 2010 at 10:24 am
Excellent post, just one question about owa. I work at a college and need to hide our staff GAL and other address lists from student users and just list the GAL they are member of? I have edited the msExchQueryBaseDN attribute for a single user and that works fine. How do I assign this attribute to the rest of the student users (we have over 3000) without having to edit each individual users attribute?
Thanks in advance
September 5th, 2010 at 6:48 pm
You would have to write a script, there is no easy way.
September 9th, 2010 at 6:46 pm
How would this script look like? Can I do it on the shell easily? Or do you have a test script?
September 15th, 2010 at 2:04 am
Brody, download ADModify, it will let you modify attributes for all users at once.
September 15th, 2010 at 10:43 pm
Quick question, I am trying to add a user in outlook (Exchange 2007)and can’t see the user that has a hidden account GAL. Is there a way that I can have them show up so I can add them without them being in the default GAL.
This user has 2 accounts on the same SBS 2008 server but in 2 different MX records and different logon accounts. They are both hidden from each other so when I try and add them in Outlook it only see’s what is in the default GAL. How do I see this hidden account?
Thanks…
September 26th, 2011 at 7:14 pm
Great Job,
Thanks a lot
Regards
May 2nd, 2012 at 6:33 am
Thanks for the writeup. Have another questiosn though on the default GAL….
We have consolidate multiple Business into One Big Exchange 2007 Environment.
However, all these users see their default address list(Show this address list first) to a specific BU Address list, istead of the Global Address list. Now we have to manually correct this on Outlook.
Do you know of easier way to correct this for all the users by GPO or sm settings in Exchange?
Thaks,
Hab
May 2nd, 2012 at 7:02 am
You have to script it in Ex 2007 however if you upgrade to Exchange 2010 there is a new features in SP2 called ABS= Address book segmentation that was created for mulit tenancy and is as easy and applying a policy to a set of users http://technet.microsoft.com/en-us/library/hh529930.aspx
May 7th, 2012 at 7:15 am
Glad you replied. Cannot move to 2010 rightnow.
Can you help me with the script? Is it a VB script…can it be appliend through the Group Policy?
Habeeb
May 15th, 2012 at 1:33 am
Just a reminder….if you have got any script already available for Ex2007 ?