How to manage address lists when you host virtual organizations (822940)

SUMMARY

This step-by-step article describes how to create global address lists (GALs) and how to set security levels on the global address lists so only specific groups can view them.

When you use Microsoft Exchange Server 2003 in a hosting environment, you must create multiple global address lists. The address lists typically have different user accounts listed in them based on the Lightweight Directory Access Protocol (LDAP) filter that you create. By default, all the users in the Exchange 2003 organization can view all the defined global address lists. This may not be acceptable in some cases; for example, it would not be acceptable at a company that serves as an e-mail host for other companies. However, you can restrict access to a particular set of users for specific address lists.

How to create multiple Global Address Lists

Note In the following steps, the term "virtual organization" refers to a company for which you create a global address list.

To create a global address list, follow these steps:

1. Log on as an administrator.
2. Create an organizational unit for each virtual organization, and then create a global security group in the same organizational unit.
3. Add all members of each virtual organization to the global group that you created for that virtual organization in step 2.
4. To change the security of the default global address list to help make it inaccessible to users, follow these steps:
   1. Start Exchange System Manager.
   2. Expand Recipients, and then expand All Global Address Lists.
   3. Right-click Default Global Address List, and then click Properties.
   4. Click the Security tab.
   5. In the Name section, click the Authenticated Users group, click List Contents under the Permissions section, and then click to select the Deny check box.
   6. In the Permissions section, make sure that the Allow check box for Read is not selected.
   7. In the Name section, click the Everyone group, and then make sure that none of the Allow check boxes are selected under the Permissions section.
   8. Click Apply.
   9. When you receive the following message, click Yes, and then click OK:

      Caution! Deny entries take priority over Allow entries, which can cause unintended effects due to group memberships.

5. Create a new global address list for each virtual organization, and then give each new global address list a filter that identifies the users who belong to that virtual organization. To do this, follow these steps:
   1. Right-click All Global Address Lists, and then click New Global Address List.
   2. Type a name for the new global address list, and then click Filter Rules.
   3. Click the Advanced tab.
   4. Create a filter criterion for group membership. To do this, follow these steps:
      • Click Field, click User, and then click Member of.
      • In the Condition box, click Is (exactly), type the distinguished name of the group in the Value box, and then click Add.
        
        Note Typing the display name of the group in the Value box does not produce the results that you want.
      • Click Find Now.
   5. Click OK, and then click Finish.
      
      For more information, click the following article number to view the article in the Microsoft Knowledge Base:

      321723 How to create an address list based on the group membership of users

   6. Repeat steps A through E for each Global Address List that you create for a virtual organization.

How to change security on Global Address Lists

Change the security on each new Global Address List

Follow these steps to permit members of the virtual organization to see members of that global address list and to prevent all other users from seeing those entries.

Note This procedure works for Post Office Protocol version 3 (POP3) and for Internet Message Access Protocol, version 4rev1 (IMAP4) clients only if you use organizational units (and not alternative criteria such as department or office location) to manage people.

1. In Exchange System Manager, right-click the new global address list, and then click Properties.
2. Click the Security tab.
3. Click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then copy the existing permissions when you are prompted to do so.
4. In the Name section, click the Authenticated Users group name, and then make sure that the Allow check box is not selected for either Read or List in the Permissions section.
5. Click Add, click the global group that corresponds to the appropriate virtual organization, and then add it to the list.
6. In the Permissions section, click to clear all permissions except Read, Execute, Read Permissions, List Content, Read Properties, and List Object; and then click OK.
7. When you receive the following message, click Yes, and then click OK. Caution! Deny entries take priority over Allow entries, which can cause unintended effects due to group memberships.
8. Click Finish.
   
   Important After you complete these steps, Microsoft Outlook Web Access (OWA) users may use the Find names feature to view users, including those who are not in the same organizational unit. To prevent users from viewing other users who are in different organizational units, follow the steps in the next procedure.

Modify the msExchQueryBaseDN attribute for each user

To limit the scope of a directory service search with Outlook Web Access, set the msExchQueryBaseDN attribute on each user object. The value that is specified for the msExchQueryBaseDN attribute limits the searches and the ambiguous name resolution queries that a user can perform. Use the ADSI Edit snap-in to set the msExchQueryBaseDN attribute on a user object. To do this, follow these steps.Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

1. Log on to the domain controller as administrator.
2. Start the ADSI Edit. To do this, follow these steps:
   1. Install Windows 2000 Support Tools. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

      246926 Folder listing of the support tools included in Windows 2000

   2. Register the Adsiedit.dll file by using Regsvr32. To do this, follow these steps:
      1. Click Start, and then click Run.
      2. In the Open box, type the following line, and then click OK:

         regsvr32 "drive:\program files\support tools\adsiedit.dll"

   3. Open Microsoft Management Console (MMC), and then add ADSI Edit.
3. In the root directory, right-click ADSI Edit, and then click Connect to.
4. In the Connection dialog box, click Domain NC in the Naming Context list, and then click OK.
5. Click a computer or a domain to log on to, and then click OK.
   
   Alternatively, click OK to use the domain or server that you are logged on to.
6. Expand Domain NC, and then expand dc=domain,dc=com.
7. Locate and expand the appropriate organizational unit, right-click the user who you want to set viewing restrictions for, and then click Properties.
8. In the Select a property to view list, click msExchQueryBaseDN.
9. • If you want OWA users to search within a single organizational unit (OU), type the distinguished name of this OU. For example, type the following address: ou=customer_name,dc=domain,dc=com
   • If you want OWA users to search within the Address List that you defined earlier in this article, type the distinguished name of the address list itself. For example, type the following address: CN=My List,CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
10. Click Set, and then click OK.