Hidding Global Address Lists (GAL) with Exchange 2007
Quite often organizations perform acquisitions, spin off sections of a company or just use Exchange to provide web hosting. One question that comes up often, is how do I segment my address list so that users only see a particular Global Address List.

The answer to this question has 2 parts:

1. If users are only using OWA to access Exchange we must modify an attribute on each user account to restrict the GAL that is seen.

When a user logs onto their mailbox via OWA the Exchange server is performing the lookup on their behalf so applying an ACL would not work for OWA and is the reason we must modify msExchQueryBaseDN attribute on their obect.

Note: this comes with a consequence, users will not be able to see address lists that have been created.

2. When users utilize Outlook to access their mail, lookups are done with the user context and ACL’s need to be used to deny user’s access to particular Global Address Lists.

Lets walk through configuring these steps:

Lets take a look a the current address list we have in Exchange


Lets create 2 new Global Address List

Exchange 2007 only allows the creation of Global Address List via EMS

The first GAL I created is called Hawaii is based on custom attribute 15 = HW

The first GAL I created is called Main_Land is based on custom attribute 15 = ML

Let verify our GAL’s have been created, we can do this with EMS via Get-GlobalAddressList commandlet or view the lists in EMC

I then set Custom Attribute 15 on my test users accounts, this can be done in bulk with EMS however since I am only demoing a few using I did this manually.

Now that we have created 2 new Global Address Lists and set Custom Attribute 15 on some users so they populate the new address list lets see what our users would see before we make any changes.

I am going to Logon with my Jodie.Bartos account into OWA which is appart of the Main_Land GAL

As you can see we can view all the address lists that have been created but our goal is to restrict this account to a particual address list, in order to do this we must set the msExchQueryBaseDN attribute on the user object.

open Adsiedit (the support tools need to be installed)
Expand the configuration container –> Services–> Microsoft Exchange –>Exchange Org–>Address List Container–>All Global Address Lists (select the address list in my case Main_land)–> Main_Land

Right click –> Properties on the GAL

Select the DN (this will give you the DN of the GAL)

Now that we have the DN of the Address list we can scope this down to this address list

Note: You can scope down to an OU or other item Refer to KB http://support.microsoft.com/kb/817218 But for this blog we are scoping to an address list.

To do this we need to again use Adsiedit to set an attribute on our user object or script this, for this blog I am going to use Adsiedit.

Open Adsiedit –> domain Container –> find your user–> properties

Input the DN of the address list into the MSExchQueryBaseDN for me this would be
CN=Main_Land,CN=All Global Address Lists,CN=Address Lists Container,CN=Exchange-Genie,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=VM,DC=Local

Now that we have set this attribute lets see the results when I logon to OWA with my user account.

We see now that we can only see the Main_Land GAL and no other address list.

Restricting Outlook
The above section only handles OWA address list views and will not affect an Outlook user, the following section will wall you through how to perform the 2nd step and restrict OL users to a particular GAL.

Restricting Outlook user to a particual GAL is done with ACL’s and we will use Adsiedit to apply the permissions.

Lets logon with my Jodie.Bartos account and see what we see in OL before we modify the permissions.


To make applying ACL’s easier I am going to create 2 Universal Security Groups and apply permission to these groups so that any new member can just be added to the group to restrict their address list.

I created a 2nd Group for the Hawaii address list as well

Open Adsiedit and apply deny read and deny open list to the GAL_Mainland group on our default Globla Address List

you will see a popup warning you about the deny –click Yes

This could take some time before the user change takes affect however to speed up my process I rebooted my server to clear the cache.

Now let open our Outlook with our Jodie account

You see that we now only see the Main Land GAL that was created.

We still have the ability to see other address lists that have been created but those can be denied in the same way the Global was denied.

since this account can still see the all users, let put a deny on that

We once again get our pop up warning about the deny

Now you can see we no longer have access to the all users list

New MS article walking through configuration!
http://technet.microsoft.com/en-us/exchange/bb936719.aspx

august movie clips fugitive pieces the avengers movie teacher the movie story star wars the clone wars movie posters zoolander movie showtimes alive or dead tagline movie jcvd movie sites uncle buck good movie toys are not for children movie news life begins for andy hardy internet movie database