Can I deny access to the global address list

Hi, I hope you can help.

I have recently put a couple of Exchange 2003 boxes into a school, one as a front end server for webmail and the other as a backend server. All the pupils in the school have an AD user account and an associated mailbox that they are only able to access thorugh webmail Via the front end server. The teachers and the admin staff at the school also have AD accounts and use outlook to connect directly to the back-end Exchange server.

What I now need to do is lock down the address lists so that none of the pupils can access any contact information on the staff. I need to do this while making sure that the teachers and admin staff can see any address on the address lists including all the pupils and the pupils can see the other pupils contact details.

All of the user accounts are in the same domain. I know that I can hide the teachers addresses from the GAL but this wont achieve the result I need. What I'm hoping I can do is create a 'teachers' address list and a 'pupils' address list and deny the pupils read access on the 'teachers' address list. Is this possible??


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Yes, there was an interesting article on a while back that handles security on the GAL for different companies using the same Exchange server. This will apply to your situation as well.

Part 1:
Part 2:

The key you're looking for is in Part 2:

"The Exchange hiding game is done mostly by implementing permissions. Outlook will use the first Global Address List and Offline Address list that the user has permissions for."

Good luck.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tlcsupportAuthor Commented:
Thanks for the reply. I have tried locking this down with permissions and it doesn't appear to work. I have found the below article on the Microsoft knowledge base  and I have applied this to a test user. The user was unable to read from the global address list. I think I will be able to work with this solution but the only problem now is that I need to apply it to about 500 users. Does anyone know of a way to do this with ADSIedit??

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

tlcsupportAuthor Commented:
I have checked to see if I can apply this to a group and the MS property which is available in the user account does not appear on the group that the users are a member of.
I think that using this method doesn't really work very well on this scale, if you take into account that new users will be created, etc.

Can you explain what exactly doesn't work in the article in my first post, because editing the Permissions on the GAL seems to be the best solution to me. I also don't mind setting up a test environment, or you can use VMware if you have it.

I know it can be done, just let me know.
tlcsupportAuthor Commented:
OK - I have created a group containing all of the pupils in the school. I have then denied that group access to any address list in the organisation. This works when connecting through outlook but when I log in as a test pupil through webmail I am still able to search for names on the global address list and get a result??
tlcsupportAuthor Commented:
as an extra point. I have tested this by logging onto outlook with a pupil account and a staff account and this works OK. Just not through OWA???
tlcsupportAuthor Commented:
I have now resolved this by inplementing a public folder and setting permissions on the folder.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.