Solved

How do I separate Global Address Lists on Exchange 2010

Posted on 2010-11-16
22
1,469 Views
Last Modified: 2012-05-10
We are hosting multiple domains on and Exchange 2010 server.  I need each domain to have its own Global Address List and not allow domains to see other domain lists.
0
Comment
Question by:Computer-Innovations
  • 8
  • 6
  • 4
  • +1
22 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 34147094
Address list segregation is not supportec yet on exhange 2010 so, unless you are using hosting version of exchange sp1, you cannot do it yet
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34147113
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34147152
Tony1044 the link refer to exchange 2007,  exchange 2010 does not support address list segregation
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34147164
Although not supported - I have used this article to segregate the Address Lists on my own 2010 server and know at least one other EE Exchange Genius who has done the same.

It is not a Supported Configuration at the moment as far as Microsoft is concerned, so if you walk down this route and get problems, Microsoft will not support you though.

http://technet.microsoft.com/en-us/library/bb936719(EXCHG.80).aspx
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34147178
But Alan did you try it with sp1, as far as I know you wont be able to update to sp1 or any future update
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34147202
I have updated to SP1 and so has the other EE Exchange Genius - mine is currently dragging down empty GAL's but the other Expert's isn't!  I have not had the time to look into this much yet - but know it can be done.

Installing SP1 after segregation can be achieved by a permission change.
0
 
LVL 25

Expert Comment

by:Tony1044
ID: 34147219
Sorry - haven't tried it myself, but thought it worked, even on Exc 2010 pre SP1?

Others seem to be using it too:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26205332.html
0
 

Author Comment

by:Computer-Innovations
ID: 34156246
I've followed these steps, but I'm still having issues.  Non administrative users can't read the new GAL's I created and the default GAL is still visible to everyone.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34156303
I followed them to the letter and it has worked for me and others I know who followed it.

You may have missed a step or two - it is a lengthy document.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 34156336
rego carefully over the doc you shld have missed a step or something
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:Computer-Innovations
ID: 34198194
I am working on building a test system to work on this issue.  As soon as I've completed my testing I'll let you know if I need further help.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34198280
FYI - My GAL's are now populated correctly!  Seems some twiddling with permissions took a while to apply - so with SP1 in place - all is happy : )
0
 

Author Comment

by:Computer-Innovations
ID: 34240673
Ok, I've created a new server from scratch for testing.  I'm following the steps as outlined and this is the first problem I ran into. I of course changed the domain name to suit my environment.

 Procedure
To use the Exchange Management Shell to modify the security permissions on the Offline Address Lists Container for the Authenticated Users group
1.Run the following command:



$container = "CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration, DC=testdomain,DC=local"

remove-adpermission $container -user "NT AUTHORITY\Authenticated Users" -ExtendedRights 'ms-Exch-Download-OAB'

CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configur
ation, DC=testdomain,DC=local wasn't found. Please make sure you've typed it correctly.
    + CategoryInfo          : NotSpecified: (0:Int32) [Remove-ADPermission], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : 73338EB8,Microsoft.Exchange.Management.RecipientTasks.RemoveADPermission
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34240833
If you open up ADSIEDIT.MSC (Start> Run> {type} adsiedit.msc {press enter}) on your test server (be very careful here - you can do lots of damage with ADSIEDIT).

Expand Configuration (if you can't see Configuration, right-click Default Naming Context and choose Settings, then choose Configuration)

Expand Services> Microsoft Exchange> First Organization (If that is what it is called)> Address Lists Container> Offline Address Lists.

Is the path you have expanded down exactly the same as the syntax you entered in Powershell (in reverse).  If not - correct it - try the command again and make a note of the correct path.

Close ADSIEDIT.
0
 

Author Comment

by:Computer-Innovations
ID: 34240886
Yes, there was a problem with my path.  I corrected it and now have the following error.

[PS] C:\Windows\system32>$container = "CN=Default Offline Address Book,CN=Offline Address Lists,CN=Address Lists Contain
er,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=testdomain,DC=local"
[PS] C:\Windows\system32>remove-adpermission $container -user "NT AUTHORITY\Authenticated Users" -ExtendedRights 'ms-Exc
h-Download-OAB'

Confirm
Are you sure you want to perform this action?
Removing Active Directory permission "\Default Offline Address Book" for user "NT AUTHORITY\Authenticated Users" with
access rights "'ms-Exch-Download-OAB'".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"):
An inherited access control entry has been specified: [Rights: ExtendedRight, ControlType: Allow]  and was ignored on o
bject "CN=Default Offline Address Book,CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Mic
rosoft Exchange,CN=Services,CN=Configuration,DC=testdomain,DC=local".
    + CategoryInfo          : NotSpecified: (0:Int32) [Remove-ADPermission], TaskInvalidOperationException
    + FullyQualifiedErrorId : 35613B0D,Microsoft.Exchange.Management.RecipientTasks.RemoveADPermission
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34240915
I assume you pressed Y?

If so - the right is being inherited and thus can't be deleted without removing the inheritance first.

Looks like you may have missed a step.
0
 

Author Comment

by:Computer-Innovations
ID: 34240971
I've copied and pasted the code step by step.. nothing has been missed.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34241073
Okay - please fire up ADSIEDIT again, expand until the Offline Address Lists, then right-click and choose properties.  Click on the Security Tab.

What permissions does Authenticated Users have and are they inherited?
0
 

Author Comment

by:Computer-Innovations
ID: 34241108
It says they are not inherited, but they also have no permissions assigned to them.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 34309783
Sorry - missed the last ping email for your comment.

So the Authenticated users are not inherited special permissions?  Is the include inheritable permissions from this parent's object parent ticked?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now