Solved

Filter Default GAL for OWA in Exchange 2013 CU5

Posted on 2014-07-30
4
637 Views
Last Modified: 2014-08-27
I am currently running Exchange 2010 sp3 and have a setup where we are providing email services to independent contractors who connect to us for email primarily using webmail.  We do not wish for the contractors to see each other in their address books.  We have long used the msExchQueryBaseDN attribute in AD to specify an OU which has just a couple of corporate mail contacts in it and this is what all users see as the only entries in their address list when using outlook web app.

I have stood up our Exchange 2013 CU5 environment and have moved a few test users over to it.  Unfortunately the directory does not even appear in OWA when composing a new message and brining up the address book (only the user's contacts appear).  If I return the msExchQueryBaseDN attribute to NULL value, the directory appears with ALL objects in it of course.

I initially thought maybe this type of segregation was no longer supported in Exchange 2013, but I found that in fact there is a new powershell command to set it in 2013 (Set-Mailbox -Identity Test User -QueryBaseDN "OU=Corp,DC=Domain,DC=Root").  Previously we had to do this manually in AD.

Should this type of filtering still work?  Any ideas why I'm seeing the behavior I am?

Note that I realize this likely could be handled by doing the following, of which I would only do as a last resort (so please don't suggest these as solutions unless using the msExchQueryBaseDN to filter the GAL is definitively no longer supported):

1) I could create an ABP for every contractor with an address list that contains only them (if I was talking about a handful, this would be OK but not really viable for hundreds).

2) I've seen info out there on filtering the MsExchSearchBase of the Default Global Address List.  I could set this to my OU which contains just the corporate contacts I wish users to see.  I don't know if this would cause any other impact though to my webmail-only users.  I also have a small subset which connect using RPC over HTTPS and we have Address Book Policies setup for each of those offices so that they only see their own office in their Global Address List so I don't think these users would be impacted either, but wanted to throw it out there.
0
Comment
Question by:Tom Giusti
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 

Author Comment

by:Tom Giusti
ID: 40279133
I have opened a ticket to Microsoft support for clarification since there is almost no information out there regarding this.
0
 

Accepted Solution

by:
Tom Giusti earned 0 total points
ID: 40287713
According to Microsoft:

Our Program Manager’s view on this issue is to use the Address Book Policy. Our PMs have confirmed that the QueryBaseDn attribute is no longer used for GAL segregation in Exchange 2013.

The documentation for the –QueryBaseDN switch  in the Set-Mailbox powershell cmdlet which suggests that we can still use the QueryBaseDn attribute for GAL segregation is wrong, and has been corrected. The updated documentation will be released to TechNet and should go live this week. It will be available here:
http://technet.microsoft.com/en-us/library/bb123981(v=exchg.150).aspx.  After the update, the updated topic should now state that the parameter is reserved for internal Microsoft use.
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
In-place Upgrading Dirsync to Azure AD Connect
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question