Filter Default GAL for OWA in Exchange 2013 CU5
Posted on 2014-07-30
I am currently running Exchange 2010 sp3 and have a setup where we are providing email services to independent contractors who connect to us for email primarily using webmail. We do not wish for the contractors to see each other in their address books. We have long used the msExchQueryBaseDN attribute in AD to specify an OU which has just a couple of corporate mail contacts in it and this is what all users see as the only entries in their address list when using outlook web app.
I have stood up our Exchange 2013 CU5 environment and have moved a few test users over to it. Unfortunately the directory does not even appear in OWA when composing a new message and brining up the address book (only the user's contacts appear). If I return the msExchQueryBaseDN attribute to NULL value, the directory appears with ALL objects in it of course.
I initially thought maybe this type of segregation was no longer supported in Exchange 2013, but I found that in fact there is a new powershell command to set it in 2013 (Set-Mailbox -Identity Test User -QueryBaseDN "OU=Corp,DC=Domain,DC=Root"). Previously we had to do this manually in AD.
Should this type of filtering still work? Any ideas why I'm seeing the behavior I am?
Note that I realize this likely could be handled by doing the following, of which I would only do as a last resort (so please don't suggest these as solutions unless using the msExchQueryBaseDN to filter the GAL is definitively no longer supported):
1) I could create an ABP for every contractor with an address list that contains only them (if I was talking about a handful, this would be OK but not really viable for hundreds).
2) I've seen info out there on filtering the MsExchSearchBase of the Default Global Address List. I could set this to my OU which contains just the corporate contacts I wish users to see. I don't know if this would cause any other impact though to my webmail-only users. I also have a small subset which connect using RPC over HTTPS and we have Address Book Policies setup for each of those offices so that they only see their own office in their Global Address List so I don't think these users would be impacted either, but wanted to throw it out there.