Address Book for each OU's in Exchange 2013

Dear Experts,

I want to create policy for the address book for each OU's . I want when the users select "TO" options in the new mail they should see their OU name under which only those users in their OU's. They can't see the mail ids of other users in different OU's

Please help.

With Experts-Exchange I have done the setup for Exchange .

We are using Exchange Server 2013 Standard.

Regards,

JCT
LVL 1
jct_777Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
yes.
you can use address list segmentation (2007) or Address Book Policies (2010/2013)



please read and let me know
https://technet.microsoft.com/en-us/library/jj657455(v=exchg.150).aspx
0
Will SzymkowskiSenior Solution ArchitectCommented:
I would also agree that Address Book Policy would be the appropriate solution for what you are asking.

Will.
0
jrhelgesonCommented:
$NewTenant = Sales

New-GlobalAddressList -Name "$NewTenant - GAL" -ConditionalCustomAttribute1 "$NewTenant" -IncludedRecipients MailboxUsers -RecipientContainer "example.local/Tenants/$NewTenant"

Open in new window


This will create a Global Address List called "Sales - GAL", it will look for the Conditional Custom Attribute called "Sales" and it will add all the users within the example.local/Tenants/Sales OU.

That's the simple method.   Below is the detailed script I use to create separate tenants within a hosted environment - which is pretty much exactly what you're trying to do.
Create an OU for the tenant. I placed mine under a OU called 'Tenants’

Notes:

 I used the parent OU as 'Tenants'. Lync has certain requirements for the hoster pack that I haven't read yet.
 Be sure to change the domain to your local domain name
 Each user must have the address book policy assigned to the user for that specific Tenant
 Each user must also have the CustomAttribute1 set to the Tenant name
 Each user must have the UPN suffix set for that specific Tenant

Import-Module ActiveDirectory
$NewTenant = Contoso
$NewTenantDomain = Contoso.com
$connect = "LDAP://dc1/OU=Tenants,DC=cloud,DC=local"
$ad = [ADSI]$connect
$ou = $ad.Create("OrganizationalUnit", "ou=$NewTenant")
$ou.SetInfo()

###Now you must create the UPN: - this may not apply to your situation
  Set-ADForest -Identity cloud.local -UPNSuffixes @{Add="$NewTenantDomain"}

 
###Create Accepted Domain - this may not apply to your situation
  New-AcceptedDomain -Name "$NewTenant" -DomainName $NewTenantDomain -DomainType:Authoritative

###Create Global Address List
  New-GlobalAddressList -Name "$NewTenant - GAL" -ConditionalCustomAttribute1 "$NewTenant" -IncludedRecipients MailboxUsers -RecipientContainer "cloud.local/Tenants/$NewTenant"

###Create All Rooms Address List
  New-AddressList -Name "$NewTenant - All Rooms" -RecipientFilter "(CustomAttribute1 -eq '$NewTenant') -and (RecipientDisplayType -eq 'ConferenceRoomMailbox')" -RecipientContainer "cloud.local/Tenants/$NewTenant"

###Create All Users Address List
  New-AddressList -Name "$NewTenant - All Users" -RecipientFilter "(CustomAttribute1 -eq '$NewTenant') -and (ObjectClass -eq 'User')" -RecipientContainer "cloud.local/Tenants/$NewTenant"

###Create All Contacts Address List
  New-AddressList -Name "$NewTenant - All Contacts" -RecipientFilter "(CustomAttribute1 -eq '$NewTenant') -and (ObjectClass -eq 'Contact')" -RecipientContainer "cloud.local/Tenants/$NewTenant"

###Create All Groups Address List
  New-AddressList -Name "$NewTenant - All Groups" -RecipientFilter "(CustomAttribute1 -eq '$NewTenant') -and (ObjectClass -eq 'Group')" -RecipientContainer "cloud.local/Tenants/$NewTenant"

###Create the Offline Address Book
  New-OfflineAddressBook -Name "$NewTenant - OAB" -AddressLists "$NewTenant - GAL"

###Create the Email Address Policy
  New-EmailAddressPolicy -Name "$NewTenant - EAP" -RecipientContainer "cloud.local/Tenants/$NewTenant" -IncludedRecipients "AllRecipients" -ConditionalCustomAttribute1 "$NewTenant" -EnabledEmailAddressTemplates "smtp:%g.%s@$NewTenantDomain","SMTP:%m@$NewTenantDomain"

###Create the Address Book Policy
  New-AddressBookPolicy -Name "$NewTenant" -AddressLists "$NewTenant - All Users", "$NewTenant - All Contacts", "$NewTenant - All Groups" -GlobalAddressList "$NewTenant - GAL" -OfflineAddressBook "$NewTenant" -RoomList "$NewTenant - All Rooms"

###Create the First User
  $c = Get-Credential
    $u = New-Mailbox -Name 'Tenant 1 User 1' -Alias 'tenant1user2' -OrganizationalUnit 'host.local/Hosted Customers/House Accounts/$NewTenant' -UserPrincipalName 'tenant1user2@$NewTenantDomain' -SamAccountName 'tenant1user2' -FirstName 'Test' -Initials '1' -LastName 'User 2'		$c.password -ResetPasswordOnNextLogon $false -AddressBookPolicy '$NewTenant'
  Set -Mailbox $u -CustomAttribute1 "$NewTenant"

##############################################
###Be sure to run Update-OfflineAddressBook after creating everything. Also when creating mailbox users you must put the tenant’s name in the mailbox CustomAttribute1.
  Update-OfflineAddressBook "$NewTenant - OAB"

Open in new window

0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

jct_777Author Commented:
Hi,

Please suggest me how to do it through EAC in Exchange 2013. Finding little bit difficult through power-shell.

Regards,

JCT
0
Jian An LimSolutions ArchitectCommented:
you can't achieve this via EAC
powershell is the way to go

you can go through the process below that explain each command that achieve each results.
https://technet.microsoft.com/en-us/library/hh529916(v=exchg.150).aspx
0
jrhelgesonCommented:
Yeah, sorry... it is possible to do some portions through EMC, just not as practical. You can create the custom attribute for users, but creating the GAL must be done by powershell.

Are all of your users already created?  Are they already sorted into their own OU?
You'd need to edit each user within that OU and give them all a Custom Attribute (by selecting all the users, modifying them together, and setting the attribute), then create a new Global Address List that filters based upon OU and the Custom Attribute that is shared among all those users.

Here's the link to the MS guide on Custom Attributes:
https://technet.microsoft.com/en-us/library/ee423541%28v=exchg.150%29.aspx
0
jct_777Author Commented:
Hi ,

All the users are already created & also all of them are placed in their respective OU's.  How to add custom attributes for all the users .

Suppose if my domain name is Universe.Com & the OU names are  Chicago, NewYork, Canada, Philadelphia & Japan.

How should I create ABP for above mentioned users in their respective OU's

Regards,

JCT
0
jrhelgesonCommented:
I don't have an Exchange 2013 server to test against, but the method in 2010 would be from within the Exchange Managment Console, go to Recipient Configuration | Mailbox

Sort the list by Organizational Unit and select (highlight) all the users that are grouped in that OU (shift+click), then right-click the selection and click properties. This enables you to change settings for multiple users simultaneously.

Give these users the same attribute, then you can identify that attribute when creating custom GAL's based upon OU & Attribute by using the commands provided above.  The attribute must be EXACT for each user, so "sales" and "Sales" are not the same.

Custom Email Attributes
0
jct_777Author Commented:
Hi,

Was on leave . Joined today . Will update within couple of days.

JCT
0
jct_777Author Commented:
Dear All,

I am having difficulty in creating the ABP for the users.  

Please help me if my domain name is Universe.Com & the OU names are  Chicago, NewYork, Canada, Philadelphia & Japan.

How should i create the above mentioned commands in the powershell with the above mentioned domain name & the OU's.

New to this server world that's why facing too much confusion.

Regards,

JCT
0
jrhelgesonCommented:
Okay, have you done what I told you to do in my previous comment?  If so, let me know that you've done that part and then we can do the next step.

What I will need from you is the OU path, and the Custom Attribute you created for all the objects in that OU.
0
jct_777Author Commented:
Hi,

As per your advice in the custom attribute tab of some users  I have added the same name of the OU. I am testing this for some users first if it is success then I will implement in the live environment. What is the next step.

you mentioned :-What I will need from you is the OU path, and the Custom Attribute you created for all the objects in that OU

The one I did is it correct  ?? . Please suggest.



Regards,

JCT
0
jrhelgesonCommented:
I will presume that for each site, such as Japan, users will be placed in OU=Japan, and have the custom attribute 1 set to "Japan".  Also within this OU=Japan container, there will be resources, such as meeting rooms,  etc.  All those objects must also share the same custom attribute.

Give me a sample path to use, and I'll customize the script provided above.
Examples of a path:
Office Location: Japan
Directory Path: Universe.com/locations/Japan
LDAP Distinguished Name Path: "OU=Japan,OU=locations,DC=Universe,DC=com"

programatically, you set the variable of $OffficeLocation = Japan
$OfficeLocation = Japan
Directory Path: Universe.com/locations/$OfficeLocation
LDAP Distinguished Name Path: "OU=$OfficeLocation,OU=locations,DC=Universe,DC=com"

This is exactly what the script above is doing, and will set that up once you give me a sample to use so you don't get confused.
0
jct_777Author Commented:
Hi ,

The custom attribute 1 I have given the names of the OU's for the users.

My domain name is Universe.Com & the OU names are  Chicago, NewYork, Canada, Philadelphia & Japan.

Under domain I have created ou= Locations &OU  Japan, Canada etc.. as you mentioned above.

The distinguished Name OU=Japan,OU=locations,DC=Universe,DC=com

My next working day will be 18th October. If you can help me solving the issue today i will be grateful to you.

Regards,

JCT
0
jrhelgesonCommented:
Ok, here is a simplified version of the script.  Copy this code, paste it to a text file, change the variable names, then paste the whole line of text into your Exchange PowerShell.

This will set variable of $NewTenant to "Japan", then use that variable name to do the following:
1) Create Global Address List
2) Create All Rooms Address List
3) Create All Users Address List
4) Create All Contacts Address List
5) Create All Groups Address List
6) Create the Offline Address Book
7) Create the Address Book Policy

$NewTenant = Japan

###Create Global Address List
  New-GlobalAddressList -Name "$NewTenant - GAL" -ConditionalCustomAttribute1 "$NewTenant" -IncludedRecipients MailboxUsers -RecipientContainer "Universe.com/locations/$NewTenant"

###Create All Rooms Address List
  New-AddressList -Name "$NewTenant - All Rooms" -RecipientFilter "(CustomAttribute1 -eq '$NewTenant') -and (RecipientDisplayType -eq 'ConferenceRoomMailbox')" -RecipientContainer "Universe.com/locations/$NewTenant"

###Create All Users Address List
  New-AddressList -Name "$NewTenant - All Users" -RecipientFilter "(CustomAttribute1 -eq '$NewTenant') -and (ObjectClass -eq 'User')" -RecipientContainer "Universe.com/locations/$NewTenant"

###Create All Contacts Address List
  New-AddressList -Name "$NewTenant - All Contacts" -RecipientFilter "(CustomAttribute1 -eq '$NewTenant') -and (ObjectClass -eq 'Contact')" -RecipientContainer "Universe.com/locations/$NewTenant"

###Create All Groups Address List
  New-AddressList -Name "$NewTenant - All Groups" -RecipientFilter "(CustomAttribute1 -eq '$NewTenant') -and (ObjectClass -eq 'Group')" -RecipientContainer "Universe.com/locations/$NewTenant"

###Create the Offline Address Book
  New-OfflineAddressBook -Name "$NewTenant - OAB" -AddressLists "$NewTenant - GAL"

###Create the Address Book Policy
  New-AddressBookPolicy -Name "$NewTenant" -AddressLists "$NewTenant - All Users", "$NewTenant - All Contacts", "$NewTenant - All Groups" -GlobalAddressList "$NewTenant - GAL" -OfflineAddressBook "$NewTenant" -RoomList "$NewTenant - All Rooms"

##############################################
###Be sure to run Update-OfflineAddressBook after creating everything. Also when creating mailbox users you must put the tenant’s name in the mailbox CustomAttribute1.
  Update-OfflineAddressBook "$NewTenant - OAB"

Open in new window



Then, once you've done it with "Japan", then change the variable to "Chicago" and paste the commands, in order, into the exchange powershell.

You could just search & replace "$NewTenant" with "Japan" and accomplish the same result, but then you'd need to replace all instances of "Japan" with "Chicago" and re-run the commands.
0
jct_777Author Commented:
Hi,
Thanks a lot. On 18th i will join . i will update uvd same day or the other day.
I think the above script will solve my issue. Will get back to you if der is any issue.

Regards,
Jct
0
jct_777Author Commented:
Hi,

I have copied the above commands in the PS. But its giving me error. I am doing this testing in one of the Test Ou's . So I removed Japan & added my test ou which is Test1 & also my domain which is Universe .com
 
Output is giving me error. I gave attached the snapshot of the error.

Regards,

JCT
ABP-Error.jpg
0
jrhelgesonCommented:
Copy all that text then and paste it into a text file, save it with a .ps1 extension and then run it.

You'll have to run this command prior to running your script:
Set-ExecutionPolicy unrestricted
0
jct_777Author Commented:
Hi,

As per your suggestion first i need to run the command in d powershell i.e.set-Exectuionpolicy unristected.

Then after that i need to copy d script & run.
I will do this tomorrow n update u tomorrow itself.
Regards,
Jct
0
jct_777Author Commented:
Hi,

As you have mentioned in the above post I copied the script in the notepad & saved it with .ps1

I first executed the command :-Set-ExecutionPolicy unrestricted.
Then i run the command that is there in the .ps1 file. During the execution time I saw lot of errors in red & it closed automatically. After this I update the offline address book by typing the below command:-
Update-OfflineAddressBook "$NewTenant - OAB" (This also gave me error.)

I have attached the error pic & also the script that I copied to .ps1 file .

Regards,

JCT
Error.jpg
New.docx
0
jrhelgesonCommented:
You need to be running this within the exchange powershell.
From the command line you'd need to run the software using ./filename.ps1

-Joel
0
jct_777Author Commented:
Hi,
I didn't understand what u meant to say. After saving it to .ps1 i right clicked it & selected run.

Regards,
Jct
0
jrhelgesonCommented:
And what I meant to say is launch the Exchange Power Shell environment.
From that exchange powershell environment, launch the file that you saved with the .ps1 extension.
So, if you saved your file as "AddressBooks.ps1" you would launch the Exchange Power Shell Environment (NOT the regular powershell).  And from there you would need to change the directory to where your AddressBook.ps1 file is located, then RUN it from the command line.

CD\  {your file path to AddressBook.ps1}
To run it, you'd type ./AddressBook.ps1
0
jct_777Author Commented:
Hi ,

As per you advice first I executed the command :-Set-ExecutionPolicy unrestricted

Then I showed the path where my ABP.ps1 is saved like c:\program files\ users\./ABP.ps1

It gave me error again.

Regards,

JCT
PS.jpg
0
jrhelgesonCommented:
Okay, I've updated the configuration removing the variable, as this is apparently a problem with your setup.  Unless you've created a path in AD called "Test1" and users with the custom attribute of "Test1" then this will fail.

I would just run this command with the valid inputs, because if it creates the wrong things, you can always remove the items it creates.

Just paste each command into the Exchange PowerShell session.

###Create Global Address List
  New-GlobalAddressList -Name "Japan - GAL" -ConditionalCustomAttribute1 "Japan" -IncludedRecipients MailboxUsers -RecipientContainer "Universe.com/locations/Japan"

###Create All Rooms Address List
  New-AddressList -Name "Japan - All Rooms" -RecipientFilter "(CustomAttribute1 -eq 'Japan') -and (RecipientDisplayType -eq 'ConferenceRoomMailbox')" -RecipientContainer "Universe.com/locations/Japan"

###Create All Users Address List
  New-AddressList -Name "Japan - All Users" -RecipientFilter "(CustomAttribute1 -eq 'Japan') -and (ObjectClass -eq 'User')" -RecipientContainer "Universe.com/locations/Japan"

###Create All Contacts Address List
  New-AddressList -Name "Japan - All Contacts" -RecipientFilter "(CustomAttribute1 -eq 'Japan') -and (ObjectClass -eq 'Contact')" -RecipientContainer "Universe.com/locations/Japan"

###Create All Groups Address List
  New-AddressList -Name "Japan - All Groups" -RecipientFilter "(CustomAttribute1 -eq 'Japan') -and (ObjectClass -eq 'Group')" -RecipientContainer "Universe.com/locations/Japan"

###Create the Offline Address Book
  New-OfflineAddressBook -Name "Japan - OAB" -AddressLists "Japan - GAL"

###Create the Address Book Policy
  New-AddressBookPolicy -Name "Japan" -AddressLists "Japan - All Users", "Japan - All Contacts", "Japan - All Groups" -GlobalAddressList "Japan - GAL" -OfflineAddressBook "Japan" -RoomList "Japan - All Rooms"

##############################################
###Be sure to run Update-OfflineAddressBook after creating everything. Also when creating mailbox users you must put the tenant’s name in the mailbox CustomAttribute1.
  Update-OfflineAddressBook "Japan - OAB"

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jct_777Author Commented:
Hi ,

As here its weekend .Tomorrow I will join. So, I will paste the above new commands in the powershell & run.

I will execute the above commands until  line no.22.

After that I will update the offline address book.

Will update tomorrow.

Regards,

JCT
0
jct_777Author Commented:
Hi ,

As per your advice i have copied & paste the above commands one by one .All the commands output was fine. Apart from last 3 commands i.e.

###Create the Offline Address Book
  New-OfflineAddressBook -Name "Japan - OAB" -AddressLists "Japan - GAL"

###Create the Address Book Policy
  New-AddressBookPolicy -Name "Japan" -AddressLists "Japan - All Users", "Japan - All Contacts", "Japan - All Groups" -GlobalAddressList "Japan - GAL" -OfflineAddressBook "Japan" -RoomList "Japan - All Rooms"

 Update-OfflineAddressBook "Japan - OAB"

The above 3 mentioned giving me error. I have attached error pic.

Regards,

JCT
PS-Error.jpg
0
jct_777Author Commented:
Hi ,

Below two commands are working fine now i.e.

###Create the Offline Address Book
  New-OfflineAddressBook -Name "Japan - OAB" -AddressLists "Japan - GAL"

###Create the Address Book Policy
  New-AddressBookPolicy -Name "Japan" -AddressLists "Japan - All Users", "Japan - All Contacts", "Japan - All Groups" -GlobalAddressList "Japan - GAL" -OfflineAddressBook "Japan" -RoomList "Japan - All Rooms"

Only the Update-OfflineAddressBook "Japan - OAB" this command is giving me error.

But when I open the user in Japan OU & open the outlook that user can see all the email ids of all the users & also the one I created with your help.

Regards,

JCT
0
jrhelgesonCommented:
You need to read the errors -

###Create the Offline Address Book
  New-OfflineAddressBook -Name "Japan - OAB" -AddressLists "Japan - GAL"


The Error with the command above was that "[Japan - OAB] already exists" so you can't re-create something that is already existing.  You can ignore this error.

###Create the Address Book Policy
  New-AddressBookPolicy -Name "Japan" -AddressLists "Japan - All Users", "Japan - All Contacts", "Japan - All Groups" -GlobalAddressList "Japan - GAL" -OfflineAddressBook "Japan - OAB" -RoomList "Japan - All Rooms"


The error from the command above was that the OfflineAddressBook had just the name on it of "Japan", rather than the proper name of "Japan - OAB" - that is fixed in the command above and re-running that should work without error.

Update-OfflineAddressBook "Japan - OAB"

In the error message you provided, you called it "Japan-OAB" (without spaces) and that address book doesn't exist.  The 2nd time you ran it there was no space between the command and the variable you put in quotes.

But when I open the user in Japan OU & open the outlook that user can see all the email ids of all the users & also the one I created with your help.

Does that mean success?
0
jct_777Author Commented:
Hi ,

I have tried this command also :-Update-OfflineAddressBook "Japan - OAB"

That was also giving me same error. I will re run the command again & will check.
Also as I have mentioned above that when the users in the Japan Ou opens the outlook they can see the new one created & also they can see all the existing mail ids in our organisation. I want them to see only  the mail ids that is there in their OU only.

Regards,

JCT
0
jrhelgesonCommented:
The only way for this to happen is to have EVERYONE in your organization have a Custom Attribute set, and all of your address books be created using filtering based upon that attribute.  The problem being that you have a Global Address List that has no filter, therefore it applies to all users.  So after you create GAL's for all the special users, then you need to create a GAL that applies to everyone else.

Essentially what you are doing is creating your own multi-tenant hosted exchange environment, where tenant users in OU=FOO cannot see anyone outside of their own OU= path.
0
jct_777Author Commented:
Hi ,

So as per your advice i have to set custom attributes for remaining users the same value. Then need to create GAL based on the attribute. If I do this then the issue will be solved.

Is it correct?

Waiting for your reply.

Regards,

JCT
0
jrhelgesonCommented:
Correct, all users that do not fall within the OU= isolation structure that you have built (Japan, London, Tokyo, etc.) will need to have their own custom attribute set such as "Catchall" or "Other", then repeat the same process to create GAL, Address Books, etc for all others.  Or, you could alternately modify the existing Global Address List to filter out the users.


As I'm thinking this through, restricting access to GAL's you don't want people to see is complicating the process.  There are multiple ways to accomplish this, and if I recall, you'll need to restrict access to the Regional 'global' address list so that only people of that region can see it.

Lets get the creation of the regional address lists completed, then we can start a new question on how to restrict and isolate.  How does that sound to you?

-Joel
0
jct_777Author Commented:
Hi,

Thanks for your entire support. Got to learn from you a lot

Regards,
Jct
0
jrhelgesonCommented:
Post a link to any new question here and we can proceed.
0
jct_777Author Commented:
Hi Joel,

I am going to close this issue. With your help the issue has been solved. I have not tested for other users. But as I mentioned above that when the users in the Japan Ou open their outlook they can see the new ones created & also all the mail ids in the organization.

But you mentioned that i have to do the same settings as I did for Japan Ou then it will be fine. This I will do later & if I face any problem I will contact you.

Thanks once again for the help.

Regards,

JCT
0
jct_777Author Commented:
Offline updateAddress book command not working till now.

REgards,

JCT
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.