locked
Exchange 2010 GAL Restrictions RRS feed

  • Question

  • I run an Exchange 2010 SP1 server ( NON-hosting mode ) and I am hosting several companies on it. Everything is running fine and we have a GAL for each company that is not visible by the other companies.

    Each GAL has a Recipient filter like so: "((CustomAttribute1 -eq 'company1') -and (Alias -ne $null))"

    Like I mentioned before, this works great until we add BES into the mix. BES requires the user 'besadmin' to view ALL the accounts under all companies. Therefore we added a 'Super-GAL' that has a Recipient filter of: "RecipientType -eq 'UserMailbox'"

    This in effect solves the BES problem but renders all the mailboxes visible to users in Outlook.

    In OWA, only the company's Addressbook is visible but in Outlook you also have the option to select 'GAL' and that's where they see them all.

    Is there any way to only allow user 'besadmin' access to this 'Super-GAL' ? 

    Is there any way to block regular clients from accessing this 'Super-GAL' ?

    Thank you!

    Monday, August 29, 2011 1:04 PM

Answers

  • ok, I have this solved and it was rather easy.

    Like I mentioned, I already had several GAL's for each company and I needed a 'Super-GAL' for besadmin that would still be invisible to everyone else.

     

    Run: AdsiEdit.msc

    Browse down to : Services -> Microsoft Exchange -> your organization -> Address Lists Containers -> All Global Address Lists -> Right click on your 'Super-GAL' and select Properties -> Security Tab.

    I proceeded to stop the inheritance of permissions. I then removed the 'Everyone' account and changed 'Authenticated users' to 'besadmin'. Et voila. Now besadmin is the only one that can view this 'Super-GAL'

    • Marked as answer by Jerome Xiong Thursday, September 1, 2011 2:03 AM
    Tuesday, August 30, 2011 2:24 PM

All replies

  • Not sure what you are doing is supported in non-hosting mode. Note that GAL segmentation will be built-in to 2010 SP2:

    http://blogs.technet.com/b/exchange/archive/2011/01/27/gal-segmentation-exchange-server-2010-and-address-book-policies.aspx

     

    Monday, August 29, 2011 1:13 PM
  • I understand that support for my config is a gray area, but what do you think about these two questions:

    Is there any way to only allow user 'besadmin' access to this 'Super-GAL' ? 

    Is there any way to block regular clients from accessing this 'Super-GAL' ?

     

    Aka, can you give only some users access to read a GAL ? 

    Monday, August 29, 2011 1:31 PM
  • This is possible with a lot of effort setting ACL's on severla objects, BUT, I would not do it. Be poatient and wait for SP2 as Andy mentioned.

     


    lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
    Monday, August 29, 2011 6:05 PM
  • ok, I have this solved and it was rather easy.

    Like I mentioned, I already had several GAL's for each company and I needed a 'Super-GAL' for besadmin that would still be invisible to everyone else.

     

    Run: AdsiEdit.msc

    Browse down to : Services -> Microsoft Exchange -> your organization -> Address Lists Containers -> All Global Address Lists -> Right click on your 'Super-GAL' and select Properties -> Security Tab.

    I proceeded to stop the inheritance of permissions. I then removed the 'Everyone' account and changed 'Authenticated users' to 'besadmin'. Et voila. Now besadmin is the only one that can view this 'Super-GAL'

    • Marked as answer by Jerome Xiong Thursday, September 1, 2011 2:03 AM
    Tuesday, August 30, 2011 2:24 PM
  • And i think you don't need to create "Super=GAL", you just need to modify the security permission on each Address list, grant read and open address list permission of all the address lists to besadmin.

    Thursday, September 1, 2011 2:05 AM
  • Hi Last1 - Im very interested in how you have setup segregated GALS in EX 2010 SP1 non hosting, i know its not supported, but can you detail what you have done to achieve this?

     

    thanks

    Sunday, September 4, 2011 12:11 AM