restrict outlook anywhere user from seeing global address list yet keep the ability to log onto using outlook anywhere or RPC over HTTP/s

Posted on 2010-09-14
Last Modified: 2012-05-10
I have implemented outlook anywhere or rpc over http/s on our exchange servers and have the accounts working and accessing their e-mail.  I find out that these users still have access to view the entire GAL.  I read a great walkthrough with regard to setting up hosted exchange for just this purpose and to my knowledge I have everything setup correctly, except for this GAL issue.  If I take the user's permissions away from seeing the default GAL, they can no longer log into their account.  If I give it back, they can see all the people in the GAL.  Can someone please enlighten me on where I'm messing the permissions up or what they should be?  My end goal is to have a single user sign on in his own group and see only himself, or members in his specific group.

i've setup this so far:

1.  "open address list" permission given on default GAL, otherwise they can't log in.
2.  created them their own GAL and gave them permission to it.
3.  created them their own Offline Address List and gave the user's universal security group "read" permission to it.
4.  set the user's msExchUseOAB to the distinguished name of their respective OAL
5.  set the user's msExchQueryBaseDN to their corresponding OU for their group

help please!
Question by:firstheartland
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 32

Expert Comment

ID: 33676507
you need to create a group and add the users that should not see the gal
then add this group to the permissions for the gal with a deny

Author Comment

ID: 33676609
ok, for my clarity, I have the universal security group with the user in question as a member already.  So I need to set the group to deny permission for the default GAL, or I need to create a new group consisting of everyone that shouldn't see the GAL?
LVL 32

Accepted Solution

endital1097 earned 500 total points
ID: 33676635
use your existing group and deny open address list

Author Closing Comment

ID: 33738291
Not sure why I thought I needed the opposite, but this works peachy.

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this step by step procedure, you will come to know the details of creating an Outlook meeting in 2007, 2010, 2013 & 2016.
In-place Upgrading Dirsync to Azure AD Connect
The viewer will learn how to simulate a series of sales calls dependent on a single skill level and learn how to simulate a series of sales calls dependent on two skill levels. Simulating Independent Sales Calls: Enter .75 into cell C2 – “skill leve…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question