locked
Show or hide GAL to some users RRS feed

  • Question

  • Hi,

    I need to hide all GAL to some users.

    How can I do ?

    Thanks,

    Thursday, September 1, 2016 3:17 PM

Answers

  • Hi

    Look here, it might be what you looking for:

    Create an OU and then add the users to this OU and restrict rights.

    http://www.techieshelp.com/block-users-seeing-exchange-2010-global-address-list-gal-applies-to-exchange-2007-also/


    Microsoft PFE

    Thursday, September 1, 2016 3:26 PM
  • Hi,

    Correctly.

    From internal, Outlook for Mac clients connect directly to the global catalog server and query Active Directory directly instead of using the Microsoft Exchange Address Book service.
    However, ABPs remain works for external Outlook for Mac clients.

    Moreover, if you only want to limit few users to view GAL, you can double check the Edward's suggestion.

    Base on my test, I select Deny "Full Control" and it works fine. Figure as below:
    Also, run "Get-Mailbox two | FL AddressListMembership" command to check the address list for this mailbox, figure as below:
    Check in OWA:


    Note: Add Deny permission with user "Two" into All Global Address Lists and All Address Lists.


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Allen_WangJF Monday, September 12, 2016 3:11 PM
    • Marked as answer by Allen_WangJF Monday, September 19, 2016 2:16 PM
    Monday, September 12, 2016 2:05 AM

All replies

  • Hi

    Look here, it might be what you looking for:

    Create an OU and then add the users to this OU and restrict rights.

    http://www.techieshelp.com/block-users-seeing-exchange-2010-global-address-list-gal-applies-to-exchange-2007-also/


    Microsoft PFE

    Thursday, September 1, 2016 3:26 PM
  • Unfortunately either ADSI Edit and OAB virtual directory read deny approach it didn't work :-(

    Do i need some IIS reset or something ?

    Thansk,

    Friday, September 2, 2016 7:30 AM
  • You can use Address Book Policies:

    https://technet.microsoft.com/en-us/library/hh529948(v=exchg.141).aspx

    In your case you can simple create an empty address book and assign it to the user you want.

    Roberto


    Roberto Ferazzi
    Microsoft® MVP Office Server & Services (Exchange Server)
    Moderator in the Microsoft TechNet Italy Forums
    My MVP Profile

    MSExchange.Community

    • Proposed as answer by Allen_WangJF Sunday, September 4, 2016 2:55 AM
    Friday, September 2, 2016 9:21 AM
  • Hi,

    Base on my test, the method as Edward provided works correctly, we don't need reset IIS.
    For OWA client: logoff and re-login.
    For Outlook client: manually remove OAB file from profile, then restart Outlook client.

    Moreover, if you want to customize address list for each domain, ABPs may be better.


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, September 4, 2016 3:19 AM
  • I am using Exchange 2013 but in my environment both methods failed. (I tried logging off and logging on)

    Can you please suggest way to debug this behavior ?

    Thanks

    Monday, September 5, 2016 7:28 AM
  • I address book policies not worked, I suggest you to go over again on the TechNet page that I provided:

    https://technet.microsoft.com/en-us/library/hh529948(v=exchg.141).aspx

    I you did all right, there's no reason why not work.

    Roberto


    Roberto Ferazzi
    Microsoft® MVP Office Server & Services (Exchange Server)
    Moderator in the Microsoft TechNet Italy Forums
    My MVP Profile

    MSExchange.Community

    Monday, September 5, 2016 1:39 PM
  • I am trying it right now. I tested Edward solutions without luck.

    A problem that I can see with ABP is that it doesn't work with Outlook 2011 for MAC (and this is partially the case) :-(

    Tuesday, September 6, 2016 7:18 AM
  • Hi,

    Correctly.

    From internal, Outlook for Mac clients connect directly to the global catalog server and query Active Directory directly instead of using the Microsoft Exchange Address Book service.
    However, ABPs remain works for external Outlook for Mac clients.

    Moreover, if you only want to limit few users to view GAL, you can double check the Edward's suggestion.

    Base on my test, I select Deny "Full Control" and it works fine. Figure as below:
    Also, run "Get-Mailbox two | FL AddressListMembership" command to check the address list for this mailbox, figure as below:
    Check in OWA:


    Note: Add Deny permission with user "Two" into All Global Address Lists and All Address Lists.


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Allen_WangJF Monday, September 12, 2016 3:11 PM
    • Marked as answer by Allen_WangJF Monday, September 19, 2016 2:16 PM
    Monday, September 12, 2016 2:05 AM
  • Hi,

    Is there any updates about this issue? Please feel free to let me know.


    Allen Wang
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Saturday, September 17, 2016 1:07 PM