Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5181
  • Last Modified:

GAL Segmentation in Office 365

Hi,

I have a 365 tenant containing 3 different email domains. I need to separate the GALs, and associated users from each other. Domain A cannot see domain B, and B cannot see C and so on.

I understand I have to create address book policy, but am confused as to how exactly achieve this. Can any provide some easy to follow instructions please?

Many thanks.
0
alexbuckland1
Asked:
alexbuckland1
  • 8
  • 4
1 Solution
 
alexbuckland1Author Commented:
Yes.

But these refer to creation and application of GALs using custom groups or distinguished names created either when the mailbox was created or during sync with AD. My users have no such field, the only thing that distinguishes them is their domain in the email address field.

I do not know how to use power shell to use this known field to apply the GALs.

A.
0
 
Vasil Michev (MVP)Commented:
It is available, but most of the administration is done via PowerShell only. You will need to use PowerShell to create the new ABPs and define what they include (or modify/create the actual address lists). Once you have created the ABPs, you can assign them from the EAC as well.

http://technet.microsoft.com/en-us/library/hh529948(v=exchg.150).aspx
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
alexbuckland1Author Commented:
Hi,

Yes I am aware of this, I need someone to provide some sample script or guidance for undertaking this process, but using the email domain as the filtering option when creating the GALS.

Thanks,

Alex.
0
 
Vasil Michev (MVP)Commented:
You just need to familiarize yourself with the cmdlet, it's not that hard. The article above gives examples, and you can also get more examples for the actual cmdlets here: http://technet.microsoft.com/en-us/library/jj218649(v=exchg.150).aspx

For example, to create a new list to match based on the domain portion of the UPN, you can use something like this:

New-AddressList -Name 'Domain' -RecipientFilter {((Alias -ne $null) -and (UserPrincipalName -like '*@domain.com'))}

Open in new window


You then need to update the list membership. In Exchange Online this is done by 'touching' the objects in question, for example by doing this:
Get-Mailbox | Set-Mailbox -CustomAttribute10 10
Get-Mailbox | Set-Mailbox -CustomAttribute10 $null

Open in new window


You can verify the membership after:
Get-Recipient -ResultSize Unlimited -Filter "AddressListMembership -eq '$((Get-AddressList -Identity "domain").DistinguishedName)'"

Open in new window


The new list will be immediately visible in OWA. The next step is to assign in to a policy, which you will then assign to users. There some other steps as well, just follow the instructions in the article above.
0
 
alexbuckland1Author Commented:
Thank you! I shall play with this at the weekend and report back!
0
 
alexbuckland1Author Commented:
Thanks, that's working great so far.
I have created 3 different lists based on their domain membership and verified the members ok.
0
 
alexbuckland1Author Commented:
Could you provide some code sample to finish the job off please? I am going round in circles.
Many thanks.
0
 
Vasil Michev (MVP)Commented:
Once you have created the address lists (don't forget you need a new GAL/OAB as well), you can create the Address book policy and assign it to users. Just follow the article I gave above, it has detailed info and example on every step you need.

Here's for example the page on new ABP creation:

http://technet.microsoft.com/en-us/library/hh529931(v=exchg.150).aspx

All the rest in on the left hand side.
0
 
alexbuckland1Author Commented:
To quote the link

"When creating an ABP, you assign a GAL, an offline address book (OAB), a room list, and one or more address lists"

I have created the lists with your help, so I now need to create the GAL, OAB, and Room List before I create the policy I assume?

Thanks.
0
 
Vasil Michev (MVP)Commented:
Yes. You can probably reuse the room list as even if the company has many offices, it's a good idea to have all the resources visible to all users. Also dont forget that the GAL includes a lot more than just users and rooms, so make sure you include any contacts, DGs, mail users, shared mailboxes and so on in the newly created GAL(s). But of course it depends on your preference.

The blog article imkottees linked above gives you step-by-step instructions on all the steps, all you need to do in your case is change the criteria:

http://www.flexecom.com/gal-segmentation-in-office-365/

The last step, assigning the ABP (with the scary looking PowerShell example) can actually be done via the EAC. For the rest you will need to rely on PowerShell.

And you can always rely on the TechNet articles for more detailed information and examples.
0
 
alexbuckland1Author Commented:
Right, almost nailed it. I have used:


New-OfflineAddressBook -Name "Domain-All-OAB" -AddressLists "\Domain"

New-GlobalAddressList -Name "All Domain" -RecipientFilter {((Alias -ne $null) -and (UserPrincipalName -like '*@domain.co.uk'))}

New-AddressBookPolicy -Name "All Domain ABP" -AddressLists "\Domain" -OfflineAddressBook \Domain-All-OAB -GlobalAddressList "\All Domain" -RoomList "\Domain"


Which seemed to work :-)

I have assigned this policy to just my mailbox for now, how long before I can expect to see the changes in outlook - I can still see all the other domains users..

Thanks for your help so far.
0
 
alexbuckland1Author Commented:
and for the benefit of reader sI applied the policy using:

Get-Mailbox -Filter {((Alias -ne $null) -and (UserPrincipalName -like '*@domain))} | Set-Mailbox -AddressBookPolicy "All Domain ABP"
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now