Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Shared Exchange 2007: Segregated address list hidden in OWA but not Outlook

Posted on 2011-03-08
Medium Priority
Last Modified: 2012-05-11
I'm running a Shared Exchange Environment on Server 2008 and Exchange 2007. I've got it set up so address lists are segregated. This works perfectly in OWA. I can't see any other organizations users. But in Outlook, if I open the address book, I can still see other organizations address lists. Any idea why this is?
Question by:blueswitch
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 32

Accepted Solution

endital1097 earned 2000 total points
ID: 35127576
This is  because in OWA there is an AD attribute (msExchQueryBaseDN) that controls which address list a user views where Outlook requires permissions on each address list
Here is a link to a white paper on configuring address list segregation

Active Directory contains a database of all users. The practical implementation of this database, when accessed from an Outlook client, is referred to as the Exchange GAL. When segregating Exchange, if user searches this list, you want to limit the results to recipients in the same segregated group.

This partitioning of the GAL is provided by access control lists associated with global group memberships. For each organizational unit containing a segregated group, a global group must be created. The global group membership is the users of the segregated group located in the OU. Use this group, together with other permission changes, to provide a view of Active Directory specific to the segregated group located in the organizational unit.

When partitioning the GAL, you must remove the existing default rights to see all users and objects within Active Directory. To accomplish this task, you must remove from each organizational unit the permissions assigned to the Authenticated Users group and the Everyone group, if it exists.

The host company requires permissions to see all objects within Active Directory. Add rights for the security group for each segregated group's users, thus allowing the users to see other users in their own organizational unit. Go through each organizational unit and add a security group for that segregated group. For example, for the organizational unit representing Fabrikam.com, add the Fabrikam Users security group and assign Read rights.

There are some permissions that apply only to specific clients. Your service determines which clients get support. For example, Outlook Web Access does not incorporate user permission sets when doing searches. The permissions set on OUs do not prevent search results from including other segregated group's recipients. If you are using Outlook Web Access, you must set the attribute msExchQueryBaseDN on each address list or user object to restrict the search results to include only the members of the appropriate address list.

As with all security and permissions changes, verification and testing must be performed to ensure the expected result is obtained after the change has been implemented. In this example, the Outlook client and Outlook Web Access should be tested to guarantee that each segregated group can view only their group-specific data, and that all client features operate as intended.
LVL 74

Expert Comment

by:Glen Knight
ID: 35361020
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This video discusses moving either the default database or any database to a new volume.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question