Improve company productivity with a Business Account.Sign Up


restrict outlook anywhere user from seeing global address list yet keep the ability to log onto using outlook anywhere or RPC over HTTP/s

Posted on 2010-09-14
Medium Priority
Last Modified: 2012-05-10
I have implemented outlook anywhere or rpc over http/s on our exchange servers and have the accounts working and accessing their e-mail.  I find out that these users still have access to view the entire GAL.  I read a great walkthrough with regard to setting up hosted exchange for just this purpose and to my knowledge I have everything setup correctly, except for this GAL issue.  If I take the user's permissions away from seeing the default GAL, they can no longer log into their account.  If I give it back, they can see all the people in the GAL.  Can someone please enlighten me on where I'm messing the permissions up or what they should be?  My end goal is to have a single user sign on in his own group and see only himself, or members in his specific group.

i've setup this so far:

1.  "open address list" permission given on default GAL, otherwise they can't log in.
2.  created them their own GAL and gave them permission to it.
3.  created them their own Offline Address List and gave the user's universal security group "read" permission to it.
4.  set the user's msExchUseOAB to the distinguished name of their respective OAL
5.  set the user's msExchQueryBaseDN to their corresponding OU for their group

help please!
Question by:firstheartland
  • 2
  • 2
LVL 32

Expert Comment

ID: 33676507
you need to create a group and add the users that should not see the gal
then add this group to the permissions for the gal with a deny

Author Comment

ID: 33676609
ok, for my clarity, I have the universal security group with the user in question as a member already.  So I need to set the group to deny permission for the default GAL, or I need to create a new group consisting of everyone that shouldn't see the GAL?
LVL 32

Accepted Solution

endital1097 earned 2000 total points
ID: 33676635
use your existing group and deny open address list

Author Closing Comment

ID: 33738291
Not sure why I thought I needed the opposite, but this works peachy.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Though there are a few manual ways to import PST files to Office 365 , third-party PST to Office 365 import tools are preferred over them due to various reasons.  Consequently, many tools or services are available for the same. Here, we pick the to…
This is a very interesting topic. Ransomware has been around for a while but has increased drastically over the last year or so.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Watch the video to know the process of migration of Exchange or Office 365 mailboxes in absence of MS Outlook. It is an eminent tool which can easily migrate Public, Archive user mailboxes from one another Exchange server and Office 365. Kernel Migr…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question