Exch 2007 SP1 on Srv 2008 R2, single domain. Have multiple sites, each with own container in AD. Trying to restrict mailbox users from viewing the Global Address List, and testing with a group of users (Userno1-Userno10) in a container named Test. I've entered the following two cmdlets in Exch Console: $dnGAL = (Get-GlobalAddressList "Default Global Address List").DistinguishedName Add-ADPermission -Identity $dnGAL -User "userno1" -Deny:$True I have not found specific information about proper switch for removing ability to view a Global Address List using ADPermission, so unsure if accurate. However, it seems to work initially. Log in as Userno1 on a computer, create Outlook profile, goes OK. View Address Book, only shows users in the Test container. Have a normal domain user send email to Userno1 and it is received OK. Click the Address Book icon, and can now see entire contents of the GAL, as all other users, which is what I do not want. Can anyone point out what I'm missing please? Thanks. >>Here is the cmdlet I used to create a new GlobalAddressList for the test users: Set-GlobalAddressList -Identity "Contoso GAL" -ConditionalCompany "Test Organization"

Try the following:- open ADSIEDIT -> configuration partition -> services -> exchange -> Org Name -> Address List Container -> Your test GAL properties and open security Tab, add test user and give it deny access for all or atleast for Open address list selection.Best Rgds, Ashish | Unified Comunication | MCTS | MCITP | Please remember to select option "Propose As Answer" if solution work for you | My posts hold no assurances, no promises, and they measured no rights.

The "Open Address list" permission is already set to Deny for both the Userno1 user and my test Global Security group "GALTestUsers". Is this an inheritance issue then? Searched, but do not see notes on how to disable inheritance for the Default Global Address List. In the Permissions tab, it does show <not inherited> for both the user and the group, even though the "Include inheritable permissions from this object's parent" check box is checked.

Hello Romseye, Have you fully reviewed and followed the directions in the Address List Segregation whitepaper? There is a reference in there for doing it by OU... White Paper: Configuring Virtual Organizations and Address List Segregation in Exchange 2007 http://technet.microsoft.com/en-us/library/bb936719(EXCHG.80).aspx#CrOrgUComp These types of issues can be very tricky to troubleshoot if you are not following the test solutions provided in the whitepaper and instead are trying to "wing it". Thanks, Kevin Ca - MSFTKevin Ca - MSFT

Thanks for the response. Yes, I have read it, and felt it was a proper solution to my original intent. After reading it, and researching more about what I am really want to achieve, which is to only prevent a certain group of users in an OU from seeing members in the Default Global Address List, I started realizing I may not need to completely segregate my Exch and AD infrastructure. While researching, I found many references by othes who seem to have accomplished this, (e.g., http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/address-lists-exchange-2007-part1.html), for one. I bounced it off a few Exchange Admins with more knowldge than I, who assured me, I did not need to go to the lengths the white paper indicated. However, after all my testing, and direct assitance by others, I have not been able to achieve the results I'm looking for. Do I truly need to perform the steps in the white paper above, to achieve preventing users in a single OU from viewing other members in the GAL? On page 4 of the white paper, in the section labled "Important:", it states, "Active Directory can also be configured to control object visibility at a more granular level on a per-object basis. This is a special mode referred to as the "List Object" mode. In this special mode, an object will continue to be visible to a user if the user has been granted List Contents permissions on the parent object." Does this not indicate that it should be possible to "deny" permissions to view an object as well, so long as one enables the special "List Object" mode, (modifying the dsHeuristics attribute on the Directory Service object), without having to go through all the steps outlined? Appreciate your thoughts and assistance!

OK, before we go any further, let me clarify your end goal. So you want to block users 1 through 10 from seeing the rest of the GAL, are you ok with the rest of the GAL seeing users 1 through 10? Or are you trying to block both ways? (1 thru 10 cannot see 11 thru 1000, 11 thru 1000 cannot see 1 thru 10) Are you trying to do this for only 1 group of users? Or several groups? I've sent off some communications to try to get some supportability information as well.Kevin Ca - MSFT

To clarify... say the 1 through 10 users are in the Company2->Users container. Also have a Company1 container. Do NOT want “Company1 ->Finance Users” or “Company1->Sales Users” to see “Company2->Users” users in the GAL. Do NOT want “Company2->Users” seeing the rest of the GAL. Need all “Company2->Managers” to continue to see “Company2->Users” users. (This part seems tricky.) Right now, want to do this for only one group of users, “Company2->Users”. In future, I may need to do it for another group.