I'm working on separating our address list into two companies although we will be using the same Exchange server. I'm following this article: http://technet.microsoft.com/en-us/exchange/bb936719(EXCHG.80).aspx I've gone through the whole thing and it works, but I have a minor issue. The document basically has you deny access to the "Adress Lists Container". Then allow at lower levels. The end result being that you are able to download the address books via OAB and view the GAL. The "All Addresses" container and below are not visible if you go out of cached mode. Has anyone done this setup before. I'm looking for those with experience in doing this. Exchange 2007 Two Forests. Exchange in one and new company in another with a Trust. David Jenkins

Only tried to do this in a lab. Personally I think it's a mess doing all the ACLing. I would wait for GAL. There exist other way of doing the ACL's do get the same result, but it still the same mess without proper script and setup. The difference with your setup is that you use multiple domains which I didn't Can't say that I remember all details how it looked for end users in Outlook. I would go through all settings in teh article again. If it still the same I would try to create a couple of dummy orgs + users in the same domain as Exchange is in. lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com

It does feel like a mess. I'm going over it again and again just to make sure I haven't missed anything. I don't think I have. I'd love to be able to wait until I can deploy Exchange 2010 and Service Pack 2 which will contain a built in method for doing this. Unfortunately I have deadlines to be met. :( Rigth now I'm trying this article to see if it produces better results. http://www.heavens-reach.com/component/content/article/169-exchange-2010-sp1-address-list-segregation David Jenkins

Exchange 2010 SP2 and addressbookpolicys would be my suggestion, but since you're running Exchange 2007 it's kind of far away ;-) Remember though that doing a simple LDAP query against AD would bypass the segregation in Exchange. lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com

Yes it's understood. I've separated the companies in different forests. I'm hoping that will fix the OWA GAL thing since the "Authenticated Users" scope is limited to the Forest. David Jenkins

So using separate domains doesn't cure anything with OWA. I have to designate the msExchQueryBaseDN. This kind of sucks for my scenario because I don't want both companies to see each other but I can only limit the new company. Our domain structure has a root domain and 3 sub domains. The new domain is just a root domain. Because the disabled linked accounts are in my existing domain I have to limit the scope in that domain, but I have so many other OU's for the existing company it would be really hard to change that structure. To bad I can't add multiple DN's. So the end results is everyone in the old domain can see the new company but the new company can't see the old one. David Jenkins

I was wrong. Just found an article that shows you can point the msExchQueryBaseDN to any address list. http://support.microsoft.com/kb/817218 David Jenkins