Restricting GAL Views
Hello all, I was wondering how I would go about restricting UserA from seeing UserB in the Global Address Book? Is there a simple way of accomplishing this? Every walkthrough I've seen has said to create multiple OAB's and adjust permissions through ADSIEdit which seems excessive to what seems to be a simple issue. Thanks for your time!- Adam
November 21st, 2008 11:59pm
Hi Adam,
Its not possible to restrict GAL view for a single users, however you can follow below articles for shared hosting and separate a GAL for list of users if those help you in some way..
Shared Hosting with Exchange 2003 (Part 1)
http://www.msexchange.org/tutorials/Shared_Hosting_Exchange_2003_Part1.html
Shared Hosting with Exchange 2003 (Part 2)
http://www.msexchange.org/tutorials/Shared-Hosting-Exchange-2003-Part2.html
Free Windows Admin Tool Kit Click here and download it now
November 22nd, 2008 8:04pm
Hi Adam,
So far as I know, the only way, as you mentioned, is create another GAL and adjust permission. For your reference, I have included the steps for a similar situation:
There are some special contacts and you only want some users can view them in GAL.
Step 1: Modify Custom Attributes of the special contacts
============================================
1. In Active Directory Users and Computer, right-click the user account which you don't want to be seen by some users and click Properties
2. Click the "Exchange Advanced" tab and then click "Custom Attributes"
3. Double-click "extensionAttribute1", type in a word you want to use to sign this special account and click Ok. For example, you can type in "special".
4. Click Ok twice to skip the dialog box.
5. Add custom attribute for all such special users
Step 2: Create a new GAL
==================
Create a new GAL which doesnt include these special accounts.
1. In Exchange System Manager (ESM), expand Recipients -> All Global Address Lists
2. Right-click "All Global Address Lists", point to New and click "Global Address List"
3. Type in a name for this address list and click "Filter Rules"
4. In the Find box, select "Custom Search" and click the "Advanced" tab
5. Type in "(&(mailnickname=*)(!(extensionAttribute1=special)))" (without the quotation marks) and click Ok
Step 3: Change the permissions of All GALs
===========================
1. In ESM, right-click All Global Address List and click Properties
2. Click the Security tab and click the Advanced button
3. Uncheck the "All inheritable permissions"option, click Copy and click Ok
4. Any warning messages you received, just click Yes.
5. Remove the Anonymous Logon, Everyone and Authenticated Users
6. Re-add Authenticated Users and grant them List object so they can access the sub-folders
Step 4: Change the permissions on the Default GAL
==================================
1. Add all users who have permissions to view these special accounts to a group, for example: Group1
2. Right-click the Default Global Address List and click Properties
3. Click the Security tab, click Advanced button and uncheck the "All inheritable permissions"option
4. Remove the Anonymous Logon, Everyone and Authenticated Users
5. Add Group1 which can view all contacts and click Ok
Step 5: Change the permissions of the GAL you create
=====================================
1. Create a group and add all users to this group expect the group you create in Step 4. For example: Group2
2. Right-click the GAL you create in Step 2 and click Properties
3. Click the Security tab, click Advanced button and uncheck the "All inheritable permissions"option
4. Remove the Anonymous Logon, Everyone and Authenticated Users
5. Add Group2 into the list and click Ok
If the Outlook profile works in Cached Mode, the users would download the Offline Address Book (OAB) and query the OAB rather the GAL. In this situation, you also perform the following steps:
1. Create a new Offline Address List and select the Default GAL to include in this OAB
2. Right-click the Default Offline Address List and click Properties
3. In the Address Lists, remove "Default Global Address List" and add the one you create in Step 2.
4. Create a Mailbox Store for the users in Group1 and move their mailboxes to this mailbox store
3. Right-click new mailbox stores and click Properties
4. On the General tab, click Browse besides "Offline address list"
5. Select the new OAB you create and click Ok
NOTE: The OAB on the clients can synchronize with the Exchange server every 24 hours. After you perform the above change, it may not take effect on the clients at once.
Hope it helps. Thanks,
Elvis
November 25th, 2008 12:41pm