Block Users Seeing Exchange 2010 Global Address List (GAL) – Applies to Exchange 2007 Also

Written by Allen White on. Posted in Exchange 2007, Exchange 2010, Microsoft, Microsoft Outlook, Server 2008

On  a recent project I was asked if I could block certain users from seeing the Default Global Address List, these users worked for the client externally sourcing business, they needed to mail on behalf of the client but the  client did not want them to be able to see other users on the GAL.

Having a quick look around I thought this would be simple but I could not find a way of stopping these users from seeing the GAL.GAL segmentation is almost here for exchange hosted solutions but for onsite exchange 2010 solutions its not so simple. I found a way of doing it, Im the first to agree this is what I call a BODGE, however it does the job. So read on if you want to Block Users Seeing Exchange 2010 Global Address List.There is a video walkthrough at the end of the article.


Well bodge but it looks good. So the first thing you need to do is create a security group Call it BlockGAL. Then add the users to it who you do not want to be able to view the GAL.

Once done, on a Domain Controller, run ADSI edit.

Then Navigate to the following branch.

CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=YOUR-ORG,  CN=Address List Container CN=All Global Address Lists

On the right hand side you will now see your Global Address List. Right Click it and select properties then the security tab.

Simply click add and add the security group you have created andthen select deny to Read rights then voila! the users will now not be able to see the GAL.

Block users from seeing the GAL

Block users from seeing the GAL


Got A Question?..Ask The Community


Related Problems

Add An IP Block List Provider To Exchange 2010 With The EMC
How to block spam in exchange 2010 with and ip block list provider.A guide on how to block spam in exchange 2010 by using an IP Block List Provider.Add a ...
Exchange 2007 / 2010 Distribution groups – Not receiving external mail
You have created a new distribution group in exchange 2010 or 2007 but you are recieving no external mail. How to enable distribution groups for email externally.
Exchange 2010/2007 Send on Behalf , Send as.
If you want to send emails on behalf of other people then we need to setup the send as and send on behalf permissions in microsft exchange 2010 or exchange ...
Forward Exchange 2007 or 2010 email to external account
A guide on how to setup exchange 2010 or 2007 to forward email to an external recipient. How to forward email in exchange,
Exchange 2010 /2013 Queue 451 4.4.0 Primary target IP address responded with: “451 5.7.3 Cannot achieve Exchange Server authentication
While migrating from exchange 2003 to exchange 2010 you see mail queus building up between the exchange 2010 server send mail to exchange 2003. The error yuo see is Exchange ...
Allow a Server to Relay Email. Exchange 2007 / 2010
If you want a server or another pc to send emails through your exchange server then you need to configure the relay options. Here is how to allow relaying through ...
IT Tutorials
You can block applications on your network from being run with something called a hash rule, these can be deployed with group policy. Here is a step by step guide ...
Exchange 2007/2010 Public Folders – Sub Folders
A quick guide on how to create a sub folder within public folders in exchange 2010 or exchange 2007.How to give users rights to create sub folders in public folders ...
Add An IP Block List Provider To Exchange
Exchange 2007 / 2010 Distribution groups – Not
Exchange 2010/2007 Send on Behalf , Send as.
Forward Exchange 2007 or 2010 email to external
Exchange 2010 /2013 Queue 451 4.4.0 Primary target
Allow a Server to Relay Email. Exchange 2007
Block an Application with a Hash rule
Exchange 2007/2010 Public Folders – Sub Folders


Allen White

Allen is a Technical Consultant for an IT company in the North East of England and holds the following accreditations. MCSA, MCSE, MCTS, MCITP, CCA, CCSP, VCP 4,5 and HP ASE, AIS - Network Infrastructure. Backup Academy Certified. I run this site in my spare time so if I help you then PLEASE take the time to share using the share tools on the site.

Comments (3)

  • Ian Jennings


    Hi alan,

    this didnt work, i have exchange 2010.

    Do you think i need to restart? its a demanding server so i can only restart at 3 in the morning.




    • Allen White


      Hi Ian, no, it should not need a restart as it is a security change,has the user not just cached the GAL? this article was also created before GAL segmentation arrived, if you run Exchange 2010 sp3 you can now specify via policy what parts of the GAL users can use.


  • IT Guy


    The ADSI security denials didnt work in my case for Exchange 2010 even though I’ve seen other documentation indicating it should also. tried denying @

    “CN=Address Lists Container,CN=mycompany,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain1,DC=com”

    “CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=mycompany,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain1,DC=com”

    and also CN=Offline Address Lists & CN=mycompany OAB

    what did work was on the exchange server >> IIS manager >> sites >> default web site >> OAB >> edit permissions >> security >> deny any read access to the user/group


What Do You Think?

Search Solutions


(c) Please be aware, all information is provided freely, any information used is done so at your risk and Techieshelp will not be held responsible for any issue that may occur.

If Techieshelp did not help you…

Then Microsoft will fix your problem for $99. See below on one off fixes direct from Microsoft.
Get the help you need now with a one-time support session from Answer Desk. No one knows how Microsoft software works better than our friendly and knowledgeable experts. While at home through online chat or phone, you can trust an Answer Desk expert to diagnose and solve even the toughest issue in one hour