Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Default GAL Showing even with Deny read enabled

Posted on 2011-04-26
Medium Priority
Last Modified: 2012-06-21
Have a exchange 2007 hosted enviroment, ( yes I know not supported) but is working well. Some, not all my users can see the default GAL and in return are seeing other clients users.(not good)
I have verified that the each security group (each group has own security group) has a deny read on the default GAL. I keep removing the default GAL from the user attributes in AD show in address book setting but it keeps coming back.
Sorry my first post so if I missed some info please let me know.
Enviroment is a single windows 2008 standard server running exchange 2007 sp2
Question by:ele-Jim
  • 3
LVL 11

Expert Comment

by:Renato Montenegro Rustici
ID: 35469495
Is the "Authenticated Users" security principal denied? If it's not, your users will still be able to see the GAL.

Are your users working in cached mode? If they are, I am pretty sure you should set the permissions in the OAB branch too.
LVL 11

Expert Comment

by:Renato Montenegro Rustici
ID: 35469523
And, note that OWA will ignore those settings. You must force which Address Book the users will use by using a property in each user account. I don't remember the property. If you don't know, tell me and we will try to find out.

Author Comment

ID: 35469746
hard to tell if that did it or not. Authenticated users did have read rights on the GAL but was not listed on teh OAB. I added it with the deny. Any idea why the attribute settings in AD show address book keep reverting back and adding the default GAB. Almost acting like a policy but not sure where it gets it from.

Thanks so much hope this works,
LVL 11

Accepted Solution

Renato Montenegro Rustici earned 2000 total points
ID: 35469830
Note that you must uncheck the inheritance in each address book.

I really recommend that you read this document:

White Paper: Configuring Virtual Organizations and Address List Segregation in Exchange 2007

It's a very complex setup and you must do it carefully. Make sure you have a System State backup at each move you make.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
There are literally thousands of Exchange recovery applications out there. So how do you end up picking one that’s ideal for your business & purpose? By carefully scouting the product’s features, the benefits it offers you, & reading ample reviews f…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question