Block Users Seeing Exchange 2010 Global Address List (GAL) – Applies to Exchange 2007 Also

Written by Allen White on. Posted in Exchange 2007, Exchange 2010, Microsoft, Microsoft Outlook, Server 2008

On  a recent project I was asked if I could block certain users from seeing the Default Global Address List, these users worked for the client externally sourcing business, they needed to mail on behalf of the client but the  client did not want them to be able to see other users on the GAL.

Having a quick look around I thought this would be simple but I could not find a way of stopping these users from seeing the GAL.GAL segmentation is almost here for exchange hosted solutions but for onsite exchange 2010 solutions its not so simple. I found a way of doing it, Im the first to agree this is what I call a BODGE, however it does the job. So read on if you want to Block Users Seeing Exchange 2010 Global Address List.There is a video walkthrough at the end of the article.


Well bodge but it looks good. So the first thing you need to do is create a security group Call it BlockGAL. Then add the users to it who you do not want to be able to view the GAL.

Once done, on a Domain Controller, run ADSI edit.

Then Navigate to the following branch.

CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=YOUR-ORG,  CN=Address List Container CN=All Global Address Lists

On the right hand side you will now see your Global Address List. Right Click it and select properties then the security tab.

Simply click add and add the security group you have created andthen select deny to Read rights then voila! the users will now not be able to see the GAL.

Block users from seeing the GAL

Block users from seeing the GAL


Allen White
Allen is a Consultant for ITPS in the North East of England and holds the following accreditations. MCSA, MCSE, MCTS, MCITP, CCA, CCSP, VCP 4,5 and HP ASE, AIS - Network Infrastructure.

ITPS provides strategic IT consultancy, implementation, data centre provision and unified communications, as well as support services and workspace and disaster recovery. If you require a consultation then please contact me via the contacts section or direct on 07931222991, add me on linkedin.


Comments (5)

  • Ian Jennings


    Hi alan,

    this didnt work, i have exchange 2010.

    Do you think i need to restart? its a demanding server so i can only restart at 3 in the morning.




    • Allen White


      Hi Ian, no, it should not need a restart as it is a security change,has the user not just cached the GAL? this article was also created before GAL segmentation arrived, if you run Exchange 2010 sp3 you can now specify via policy what parts of the GAL users can use.


  • IT Guy


    The ADSI security denials didnt work in my case for Exchange 2010 even though I’ve seen other documentation indicating it should also. tried denying @

    “CN=Address Lists Container,CN=mycompany,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain1,DC=com”

    “CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=mycompany,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain1,DC=com”

    and also CN=Offline Address Lists & CN=mycompany OAB

    what did work was on the exchange server >> IIS manager >> sites >> default web site >> OAB >> edit permissions >> security >> deny any read access to the user/group


  • Daniel Sølvertorp


    This was just what I needed! Thank you. Works like a charm when you have created the GAL etc.


  • varun


    Thanks for sharing the information.
    Currently, we have 2 GAL. We need to divide GAL between group.
    Group 1 can see only GAL A and vice versa.
    Currently we have exchange 2013 sp1.
    Please share the steps and also we need to do with OAB also for MAPI connection.


Leave a comment


(c) Please be aware, all information is provided freely, any information used is done so at your risk and Techieshelp will not be held responsible for any issue that may occur.
!-- BuySellAds On-Site Shopping Cart -->