Block Users Seeing Exchange 2010 Global Address List (GAL) – Applies to Exchange 2007 Also
On a recent project I was asked if I could block certain users from seeing the Default Global Address List, these users worked for the client externally sourcing business, they needed to mail on behalf of the client but the client did not want them to be able to see other users on the GAL.
Having a quick look around I thought this would be simple but I could not find a way of stopping these users from seeing the GAL.GAL segmentation is almost here for exchange hosted solutions but for onsite exchange 2010 solutions its not so simple. I found a way of doing it, Im the first to agree this is what I call a BODGE, however it does the job. So read on if you want to Block Users Seeing Exchange 2010 Global Address List.There is a video walkthrough at the end of the article.
Well bodge but it looks good. So the first thing you need to do is create a security group Call it BlockGAL. Then add the users to it who you do not want to be able to view the GAL.
Once done, on a Domain Controller, run ADSI edit.
Then Navigate to the following branch.
CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=YOUR-ORG, CN=Address List Container CN=All Global Address Lists
On the right hand side you will now see your Global Address List. Right Click it and select properties then the security tab.
Simply click add and add the security group you have created andthen select deny to Read rights then voila! the users will now not be able to see the GAL.
this didnt work, i have exchange 2010.
Do you think i need to restart? its a demanding server so i can only restart at 3 in the morning.
Hi Ian, no, it should not need a restart as it is a security change,has the user not just cached the GAL? this article was also created before GAL segmentation arrived, if you run Exchange 2010 sp3 you can now specify via policy what parts of the GAL users can use.
I initially had the same issue, then figured it out by placing Deny permissions on all subcontainers of Address Lists Container.
I’m on Exchange 2013.
A big thanks to the author of the post, this is awesome!
The ADSI security denials didnt work in my case for Exchange 2010 even though I’ve seen other documentation indicating it should also. tried denying @
“CN=Address Lists Container,CN=mycompany,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain1,DC=com”
“CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=mycompany,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain1,DC=com”
and also CN=Offline Address Lists & CN=mycompany OAB
what did work was on the exchange server >> IIS manager >> sites >> default web site >> OAB >> edit permissions >> security >> deny any read access to the user/group
This was just what I needed! Thank you. Works like a charm when you have created the GAL etc.
Thanks for sharing the information.
Currently, we have 2 GAL. We need to divide GAL between group.
Group 1 can see only GAL A and vice versa.
Currently we have exchange 2013 sp1.
Please share the steps and also we need to do with OAB also for MAPI connection.