?
Solved

Can I deny access to the global address list

Posted on 2006-03-31
8
Medium Priority
?
608 Views
Last Modified: 2008-02-01
Hi, I hope you can help.

I have recently put a couple of Exchange 2003 boxes into a school, one as a front end server for webmail and the other as a backend server. All the pupils in the school have an AD user account and an associated mailbox that they are only able to access thorugh webmail Via the front end server. The teachers and the admin staff at the school also have AD accounts and use outlook to connect directly to the back-end Exchange server.

What I now need to do is lock down the address lists so that none of the pupils can access any contact information on the staff. I need to do this while making sure that the teachers and admin staff can see any address on the address lists including all the pupils and the pupils can see the other pupils contact details.

All of the user accounts are in the same domain. I know that I can hide the teachers addresses from the GAL but this wont achieve the result I need. What I'm hoping I can do is create a 'teachers' address list and a 'pupils' address list and deny the pupils read access on the 'teachers' address list. Is this possible??

Thanks




0
Comment
Question by:tlcsupport
  • 5
  • 3
8 Comments
 
LVL 12

Accepted Solution

by:
Rant32 earned 375 total points
ID: 16344619
Yes, there was an interesting article on msexchange.org a while back that handles security on the GAL for different companies using the same Exchange server. This will apply to your situation as well.

Part 1: http://www.msexchange.org/tutorials/Shared_Hosting_Exchange_2003_Part1.html
Part 2: http://www.msexchange.org/tutorials/Shared-Hosting-Exchange-2003-Part2.html

The key you're looking for is in Part 2:

"The Exchange hiding game is done mostly by implementing permissions. Outlook will use the first Global Address List and Offline Address list that the user has permissions for."

Good luck.
0
 
LVL 1

Author Comment

by:tlcsupport
ID: 16399264
Thanks for the reply. I have tried locking this down with permissions and it doesn't appear to work. I have found the below article on the Microsoft knowledge base  and I have applied this to a test user. The user was unable to read from the global address list. I think I will be able to work with this solution but the only problem now is that I need to apply it to about 500 users. Does anyone know of a way to do this with ADSIedit??

Cheers

http://support.microsoft.com/?kbid=272197
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16399439
Groups?
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 1

Author Comment

by:tlcsupport
ID: 16399566
I have checked to see if I can apply this to a group and the MS property which is available in the user account does not appear on the group that the users are a member of.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16399602
I think that using this method doesn't really work very well on this scale, if you take into account that new users will be created, etc.

Can you explain what exactly doesn't work in the article in my first post, because editing the Permissions on the GAL seems to be the best solution to me. I also don't mind setting up a test environment, or you can use VMware if you have it.

I know it can be done, just let me know.
0
 
LVL 1

Author Comment

by:tlcsupport
ID: 16400423
OK - I have created a group containing all of the pupils in the school. I have then denied that group access to any address list in the organisation. This works when connecting through outlook but when I log in as a test pupil through webmail I am still able to search for names on the global address list and get a result??
0
 
LVL 1

Author Comment

by:tlcsupport
ID: 16400431
as an extra point. I have tested this by logging onto outlook with a pupil account and a staff account and this works OK. Just not through OWA???
0
 
LVL 1

Author Comment

by:tlcsupport
ID: 16465826
I have now resolved this by inplementing a public folder and setting permissions on the folder.
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Learn about cloud computing and its benefits for small business owners.
Loops Section Overview
Screencast - Getting to Know the Pipeline

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question