Separate Global Address Lists for Different Domains

Posted on 2004-11-09
Last Modified: 2008-01-09
I have several domains hosted on a single Exchange Server 2003, and I need to separate the global address lists for each domain.  I understand the concepts but I'm not sure about the execution.  I found MS KB822940 linked in an answer here.  That solution says to implement separate OUs and use those for list population and permissions.  This is where I start to have questions.

Can I just use the domains themselves instead of OUs since I am segregating strictly by domain?  If so, how do you implement that?

Also, I created new global lists to test with and followed the instructions to deny access to the default global list.  However, after logging off and back on, I still have access to the default list in Outlook and cannot see the new lists.  Any ideas about that?


Question by:TheTennMan
    LVL 9

    Expert Comment

    perhaps instead of setting up different GAL you could just modify the msExchQueryBaseDN value.

    This is a per user setting, but if you set this to the OU of the the user, they will only see addresses associated with their OU and below.

    This value is listed in adsiedit, but can be updated with a windows script like the following:
    Option Explicit

    Call SetExchQueryBaseDN("Joe Blow", "hostedOUname", NULL)

    Function SetExchQueryBaseDN(svUserName, svCustomerName, svDivision)
          'This function restricts the user account so that it can only search for Exchange related objects in it's own OU
          'If the user is an employee of a division, pass that name in svDivision, otherwise set that parameter to NULL

          Dim objDSE, objUser
          Dim svParentOU
          Set objDSE = GetObject("LDAP://rootDSE") 'Connect to the base domain

          If ISNULL(svDivision) then
                svParentOU = "OU=" & svCustomerName & ",OU=Hosting," & objDSE.Get("defaultNamingContext")
                svParentOU = "OU=" & svDivision & ",OU=" & svCustomerName & ",OU=Hosting," & objDSE.Get("defaultNamingContext")
          End if
          Set objUser = GetObject("LDAP://CN=" & svUserName & "," & svParentOU)
          objUser.msExchQueryBaseDN = svParentOU
          'msgbox objUser.msExchQueryBaseDN
          Set objUser = Nothing
          Set objDSE = Nothing

    End Function

    this will set the property on the user that you defined in the first line, in the OU "hostednameou"  

    this script also assumes that the parent OU is "Hosting".  change these settings as necessary and you should be all set.
    LVL 9

    Expert Comment

    also, if you wanted to set the domain to be the deliminating factor instead of the OU in creating different GAL, you need to be using a UPN for reach domain.

    you would then modify the filter for each GAL similar to the follwing

    on the filter rules, choose modify/add , then the advanced tab, chose the "find" drop down, choose custom search.  Click on the "Field: drop down and choose user/logon name. Then chooses "Ends with" as the condition, and the value "".  this would set up an gal policy that only returns users.

    Author Comment

    You're thinking along the same lines that I am, athelu.  I was actually using the end of the e-mail address to filter the list, so the logon name does the same thing.  My problem is that I can't get the query to return more than the users.  I'm missing my distribution groups.

    When you build your query through the GUI, it won't let you use an "OR".  It uses "AND" for everything.  Therefore, I can't return one list based on "users from" and distribution groups based on some other criterion.

    I want to keep this question separate in its focus from another question that I have open.  That one focuses on the ability to modify LDAP queries and submit them to Exchange to build a list.

    I don't know that I can do anything differently with the second suggestion.  However, can I set the DN for users and groups with the first example and return all of them in a single list with the first suggestion?  Is this something I'd have to run with every directory change or can it be set to update the list automatically?

    LVL 9

    Accepted Solution

    with the first example, you would not create any additional Address Lists. What this does, is tells LDAP that when this user opens the address book, to only return results from this point forward. Therefore, any groups or contacts that where in the same OU (or below) would be presented. The only time that this would have to be updated would be if you changed to OU name of the customer. If you added additional folders for organization under the customer OU (ie. contacts, resources) they would automatically appear in the customers address list.

    What we have done is just created two seperate scripts, one that creates the OU and sets the security, then another that creates the user, assigns rights, and sets the querybaseDN. this is how we create our customer and users objects . So basically this process is only done when we sign up new customers. we manually fire the script that creates the OU and security in AD.  Then we have attached the other script to a web based logon form that caputures the input and fires off the vbs file to create the users in AD.

    Author Comment


    Even though I will use two new lists, one for users and one for groups, with the Outlook clients, I will modify the DNs for users accessing their accounts through OWA.  Once I have a chance to work with the DNs to deal with OWA address lists, I'll probably go back and change settings for local client access as well.

    Thanks again!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Are end users causing IT problems again?

    You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

    "Migrate" an SMTP relay receive connector to a new server using info from an old server.
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
    In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now