Address Lists in Exchange 2007 (Part 1)

Leave a comment

August 26, 2011 by Rakesh Boraiah


Introduction

An exchange address list is a collection of addressees that can be browsed by multiple types of exchange recipients to retrieve one another. An address list in Exchange 2007 is either a Global Address List, a custom Address List, or an Offline Address Book. In the first part of this article series I will talk about Global Address Lists. In later parts of this article series I will come back to  custom Address Lists and how you can create and manage them. To finish I will cover Offline Address Books in more detail.

Global Address Lists

When you install Exchange 2007, you will have one Global Address List (GAL), called Default Global Address List, which is a collection of all mailbox-enabled users, mail-enabled users, mail-enabled contacts, dynamic distributions groups, mail-enabled groups, mail-enabled public folders, and system mailboxes in your Exchange organization, as can be seen in Figure 1.

Figure 1:Overview Address Lists

Creating new Global Address Lists = New-GlobalAddressList

If you are considering creating additional Global Address Lists (GALs), there are a few things to keep in mind:

  • You can only use the Exchange Management Shell (not the Exchange Management Console) to create, modify, update, or remove GALs.
  • If you have more than one GAL in your Exchange organization, only one will be displayed in the Outlook Address Book on a client computer. This address list will be listed as Global Address List, and not with the name you used to create it.
  • When a user belongs to more than one GAL, a user will get the GAL with most entries, too which he/she belongs, and for which he/she has permission to view its content.

A reason for creating multiple GALs would be if your Exchange organization supports multiple companies, where you want to make sure users can only see other recipients from the same company.

To create a new GAL, you need to use the Exchange Management Shell cmdlet New-GlobalAddressList, and define a name for the GAL using the parameter Name. Any of the following parameters can be added to define who should appear as a member of the GAL:

  • ConditionalCompany
  • ConditionalCustomAttribute1-ConditionalCustomAttribute15
  • ConditionalDepartment
  • ConditionalStateOrProvince
  • IncludedRecipients, needs to be added when RecipientFilter is not defined (possible values = “None”, “MailboxUsers”, “Resources”, “MailContacts”, “MailGroups”, “MailUsers”, “AllRecipients”)
  • RecipientFilter, cannot be used if parameters ConditionalCompany, ConditionalCustomAttribute1-15, ConditionalDepartment, and/or ConditionalStateOrProvince have been specified
  • TemplateInstance

In Figure 2 you can see how to use the Exchange Management Shell to create two new Global Address Lists, where the first one, named “Community Day Attendees” is based on the value of CustomAttribute3 and the value of the attribute Title,  and the second one, named “Community Day Organizers” is based on the value of CustomAttribute3 only.

Figure 2:New-GlobalAddressList

The newly created GALs will appear in the Exchange Management Console, as can be seen in Figure 3.

Figure 3:New GAL Exchange Management Console

When you create a new GAL, it will not be populated until you update the GAL using the Exchange Management Shell cmdlet Update-GlobalAddressList.

Update-GlobalAddressList

You will need to update the GAL using the Exchange Management Shell cmdlet Update-GlobalAddressList to:

  • populate a newly created GAL;
  • remove recipients that no longer meet the filtering criteria;
  • include recipients that meet the filtering criteria;
  • populate an existing GAL after modifying the filtering criteria.

In the example given before, I have created a new GAL, named “Community Day Organizers“. Using the Exchange Management Shell it is fairly easy to get a list of recipients that are a member of that GAL. Before updating the GAL, you can see in Figure 4 that the GAL is empty. After updating the GAL, you can see that the GAL is populated.

Figure 4:Update-GlobalAddressList

When running the cmdlet Update-GlobalAddressList, Exchange will update every recipient in Active Directory to reflect the fact that it is a member of that GAL by updating the attribute called showInAddressBook. In Figure 5 you can see that User A will only appear in the custom Address List called All Users, and the default GAL. After updating the GAL Community Day Attendees, shown in Figure 6, the attribute is updated to include GAL Community Day Attendees, as can be seen in Figure 7.

Figure 5: showInAddressBook before Update-GlobalAddressList

Figure 6: Update-GlobalAddressList

Figure 7:showInAddressBook after Update-GlobalAddressList

Global Address List Permissions

As already stated in the beginning of this article, even when there are multiple GALs in the Exchange organization, every user will only see one GAL, both using Outlook and using OWA. To make sure a user sees the GAL he or she is supposed to see, you can set permissions on the GAL, using AdsiEdit.msc or using the Exchange Management Shell.

In my Exchange organization, there are currently three GAL. Table 1 lists who needs to get which GAL.

Name GAL

Included Recipients

Not member of Community Day Attendees

Member of Community Day Attendees

Member of Community Day Organizers

Default Global Address List

All Recipients

X

Community Day Attendees

All Attendees

X

Community Day Organizers

All Attendees + All Organizers

X

Table 1: GAL Permissions

You can use AdsiEdit to take away the permission from the group Community Day Attendees to open the GALs Default Global Address List and Community Day Organizers. Open AdsiEdit and connect the Configuration Partition, and drill down to Configuration, Services, Microsoft Exchange, Name of your organization, Address Lists Containers, All Global Address Lists. Right-click the GALs required, and change the permissions as shown in Figure 8.

Figure 8:Deny Open address list permission

Using the Exchange Management Shell to deny the permission to open the GAL, you need to use the Exchange Management Shell cmdlet Set-ADPermission. In Figure 9 you can see how the shell can be used to deny the right to open the GAL named Community Day Organizers  to the universal security group called Community Day Attendees.

Figure 9:Add-ADPermission

When User A logs on to the domain, and opens Microsoft Office Outlook, User A will see the GAL named Community Day Attendees, as can be seen in Figure 10. Where-as a member of the group Community Day Organizers will see the GAL named Community Day Organizers, and a user who doesn’t belong to any of these two groups will get the default GAL. The name of the GAL is not listed!

Figure 10:GAL User A

Outlook Web Access and Multiple GALs

When opening the mailbox of User A using Outlook Web Access, you may notice that User A is able to browse through all Global Address Lists, as in Figure 11.

Figure 11: GALs in OWA

As document in Knowledge Base article 817218, you can view all address lists in Active Directory using Outlook Web Access, regardless of the permissions that are set on the address list. In order to prevent users from being able to see and go through all GALs created in your Exchange organization, you can change the value of the attribute called msExchQueryBaseDN on the user properties using AdsiEdit from the default value of <not set> to the distinguished name of the custom GAL you want the user to see in OWA, as can be seen in Figure 12.

Figure 12:msExchQueryBaseDN

After logging into OWA again, you will see that User A can only see the intended GAL in Figure 13.

Figure 13:Custom GAL in OWA

Remove-GlobalAddressList

You can always remove custom created GALs by using the Exchange Management Shell cmdlet Remove-GlobalAddressList. A few remarks:

  • You cannot remove the default GAL, as can be seen in Figure 14.

Figure 14: Remove-GlobalAddressList

  • You need to make sure that there is at least one GAL a user is allowed to query in order to be able to configure his or her Outlook profile.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: