Hidding Global Address Lists (GAL) with Exchange 2007 –
Quite often organizations perform acquisitions, spin off sections of a company or just use Exchange to provide web hosting. One question that comes up often, is how do I segment my address list so that users only see a particular Global Address List.
The answer to this question has 2 parts:
1. If users are only using OWA to access Exchange we must modify an attribute on each user account to restrict the GAL that is seen.
When a user logs onto their mailbox via OWA the Exchange server is performing the lookup on their behalf so applying an ACL would not work for OWA and is the reason we must modify msExchQueryBaseDN attribute on their obect.
Note: this comes with a consequence, users will not be able to see address lists that have been created.
2. When users utilize Outlook to access their mail, lookups are done with the user context and ACL’s need to be used to deny user’s access to particular Global Address Lists.
Lets walk through configuring these steps:
Lets take a look a the current address list we have in Exchange
Exchange 2007 only allows the creation of Global Address List via EMS
Let verify our GAL’s have been created, we can do this with EMS via Get-GlobalAddressList commandlet or view the lists in EMC
I then set Custom Attribute 15 on my test users accounts, this can be done in bulk with EMS however since I am only demoing a few using I did this manually.
Now that we have created 2 new Global Address Lists and set Custom Attribute 15 on some users so they populate the new address list lets see what our users would see before we make any changes.
I am going to Logon with my Jodie.Bartos account into OWA which is appart of the Main_Land GAL
As you can see we can view all the address lists that have been created but our goal is to restrict this account to a particual address list, in order to do this we must set the msExchQueryBaseDN attribute on the user object.
open Adsiedit (the support tools need to be installed)
Expand the configuration container –> Services–> Microsoft Exchange –>Exchange Org–>Address List Container–>All Global Address Lists (select the address list in my case Main_land)–> Main_Land
Right click –> Properties on the GAL
Select the DN (this will give you the DN of the GAL)
Now that we have the DN of the Address list we can scope this down to this address list
Note: You can scope down to an OU or other item Refer to KB http://support.microsoft.com/kb/817218 But for this blog we are scoping to an address list.
To do this we need to again use Adsiedit to set an attribute on our user object or script this, for this blog I am going to use Adsiedit.
Input the DN of the address list into the MSExchQueryBaseDN for me this would be
CN=Main_Land,CN=All Global Address Lists,CN=Address Lists Container,CN=Exchange-Genie,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=VM,DC=Local
Now that we have set this attribute lets see the results when I logon to OWA with my user account.
We see now that we can only see the Main_Land GAL and no other address list.
The above section only handles OWA address list views and will not affect an Outlook user, the following section will wall you through how to perform the 2nd step and restrict OL users to a particular GAL.
Restricting Outlook user to a particual GAL is done with ACL’s and we will use Adsiedit to apply the permissions.
Lets logon with my Jodie.Bartos account and see what we see in OL before we modify the permissions.
To make applying ACL’s easier I am going to create 2 Universal Security Groups and apply permission to these groups so that any new member can just be added to the group to restrict their address list.
I created a 2nd Group for the Hawaii address list as well
Open Adsiedit and apply deny read and deny open list to the GAL_Mainland group on our default Globla Address List
This could take some time before the user change takes affect however to speed up my process I rebooted my server to clear the cache.
You see that we now only see the Main Land GAL that was created.
We still have the ability to see other address lists that have been created but those can be denied in the same way the Global was denied.
since this account can still see the all users, let put a deny on that
We once again get our pop up warning about the deny
New MS article walking through configuration!