Exchange 2010 GAL Restrictions
I run an Exchange 2010 SP1 server ( NON-hosting mode ) and I am hosting several companies on it. Everything is running fine and we have a GAL for each company that is not visible by the other companies. Each GAL has a Recipient filter like so: "((CustomAttribute1 -eq 'company1') -and (Alias -ne $null))" Like I mentioned before, this works great until we add BES into the mix. BES requires the user 'besadmin' to view ALL the accounts under all companies. Therefore we added a 'Super-GAL' that has a Recipient filter of: "RecipientType -eq 'UserMailbox'" This in effect solves the BES problem but renders all the mailboxes visible to users in Outlook. In OWA, only the company's Addressbook is visible but in Outlook you also have the option to select 'GAL' and that's where they see them all. Is there any way to only allow user 'besadmin' access to this 'Super-GAL' ? Is there any way to block regular clients from accessing this 'Super-GAL' ? Thank you!
August 29th, 2011 4:04pm

Not sure what you are doing is supported in non-hosting mode. Note that GAL segmentation will be built-in to 2010 SP2: http://blogs.technet.com/b/exchange/archive/2011/01/27/gal-segmentation-exchange-server-2010-and-address-book-policies.aspx
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 4:13pm

I understand that support for my config is a gray area, but what do you think about these two questions: Is there any way to only allow user 'besadmin' access to this 'Super-GAL' ? Is there any way to block regular clients from accessing this 'Super-GAL' ? Aka, can you give only some users access to read a GAL ?
August 29th, 2011 4:31pm

This is possible with a lot of effort setting ACL's on severla objects, BUT, I would not do it. Be poatient and wait for SP2 as Andy mentioned. lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 9:05pm

ok, I have this solved and it was rather easy. Like I mentioned, I already had several GAL's for each company and I needed a 'Super-GAL' for besadmin that would still be invisible to everyone else. Run: AdsiEdit.msc Browse down to : Services -> Microsoft Exchange -> your organization -> Address Lists Containers -> All Global Address Lists -> Right click on your 'Super-GAL' and select Properties -> Security Tab. I proceeded to stop the inheritance of permissions. I then removed the 'Everyone' account and changed 'Authenticated users' to 'besadmin'. Et voila. Now besadmin is the only one that can view this 'Super-GAL'
August 30th, 2011 5:24pm

And i think you don't need to create "Super=GAL", you just need to modify the security permission on each Address list, grant read and open address list permission of all the address lists to besadmin.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2011 5:05am

Hi Last1 - Im very interested in how you have setup segregated GALS in EX 2010 SP1 non hosting, i know its not supported, but can you detail what you have done to achieve this? thanks
September 4th, 2011 3:11am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics