Block Users Seeing Exchange 2010 Global Address List (GAL) – Applies to Exchange 2007 Also

On  a recent project I was asked if I could block certain users from seeing the Default Global Address List, these users worked for the client externally sourcing business, they needed to mail on behalf of the client but the  client did not want them to be able to see other users on the GAL.

Having a quick look around I thought this would be simple but I could not find a way of stopping these users from seeing the GAL.GAL segmentation is almost here for exchange hosted solutions but for onsite exchange 2010 solutions its not so simple. I found a way of doing it, Im the first to agree this is what I call a BODGE, however it does the job. So read on if you want to Block Users Seeing Exchange 2010 Global Address List.There is a video walkthrough at the end of the article.

Solution

Well bodge but it looks good. So the first thing you need to do is create a security group Call it BlockGAL. Then add the users to it who you do not want to be able to view the GAL.

Once done, on a Domain Controller, run ADSI edit.

Then Navigate to the following branch.

CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=YOUR-ORG,  CN=Address List Container CN=All Global Address Lists

On the right hand side you will now see your Global Address List. Right Click it and select properties then the security tab.

Simply click add and add the security group you have created andthen select deny to Read rights then voila! the users will now not be able to see the GAL.

Block users from seeing the GAL

Block users from seeing the GAL

 

Tags: GAL

Allen White

Allen is a Consultant for ITPS in the North East of England and holds the following accreditations. MCSA, MCSE, MCTS, MCITP, CCA, CCSP, VCP 4,5 and HP ASE, AIS - Network Infrastructure.

Comments (6)

  • Avatar

    Ian Jennings

    |

    Hi alan,

    this didnt work, i have exchange 2010.

    Do you think i need to restart? its a demanding server so i can only restart at 3 in the morning.

    Regards

    Ian

    Reply

    • Avatar

      Allen White

      |

      Hi Ian, no, it should not need a restart as it is a security change,has the user not just cached the GAL? this article was also created before GAL segmentation arrived, if you run Exchange 2010 sp3 you can now specify via policy what parts of the GAL users can use.

      Reply

    • Avatar

      Roxanne C

      |

      I initially had the same issue, then figured it out by placing Deny permissions on all subcontainers of Address Lists Container.
      I’m on Exchange 2013.

      A big thanks to the author of the post, this is awesome!

      Reply

  • Avatar

    IT Guy

    |

    The ADSI security denials didnt work in my case for Exchange 2010 even though I’ve seen other documentation indicating it should also. tried denying @

    “CN=Address Lists Container,CN=mycompany,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain1,DC=com”

    “CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=mycompany,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain1,DC=com”

    and also CN=Offline Address Lists & CN=mycompany OAB

    what did work was on the exchange server >> IIS manager >> sites >> default web site >> OAB >> edit permissions >> security >> deny any read access to the user/group

    Reply

  • Avatar

    Daniel Sølvertorp

    |

    This was just what I needed! Thank you. Works like a charm when you have created the GAL etc.

    Reply

  • Avatar

    varun

    |

    Thanks for sharing the information.
    Currently, we have 2 GAL. We need to divide GAL between group.
    Group 1 can see only GAL A and vice versa.
    Currently we have exchange 2013 sp1.
    Please share the steps and also we need to do with OAB also for MAPI connection.

    Reply

Leave a comment

Categories

Vote!

What Web Browser Do You Use?

View Results

Loading ... Loading ...

Vote!

What do you prefer..VMware or Hyper-V?

View Results

Loading ... Loading ...