restrict outlook anywhere user from seeing global address list yet keep the ability to log onto using outlook anywhere or RPC over HTTP/s
Posted on 2010-09-14
I have implemented outlook anywhere or rpc over http/s on our exchange servers and have the accounts working and accessing their e-mail. I find out that these users still have access to view the entire GAL. I read a great walkthrough with regard to setting up hosted exchange for just this purpose and to my knowledge I have everything setup correctly, except for this GAL issue. If I take the user's permissions away from seeing the default GAL, they can no longer log into their account. If I give it back, they can see all the people in the GAL. Can someone please enlighten me on where I'm messing the permissions up or what they should be? My end goal is to have a single user sign on in his own group and see only himself, or members in his specific group.
i've setup this so far:
1. "open address list" permission given on default GAL, otherwise they can't log in.
2. created them their own GAL and gave them permission to it.
3. created them their own Offline Address List and gave the user's universal security group "read" permission to it.
4. set the user's msExchUseOAB to the distinguished name of their respective OAL
5. set the user's msExchQueryBaseDN to their corresponding OU for their group