I'm not sure if it's possible or not but let me explain what we are trying to do. We have a large number of email distribution groups which are managed by x number of users and they manage these directly from Outlook 2003 address lists. Because we don't want most of this lists showing in our global address lists, i want to hide them within exchange (2003) but now they will not be able to manage their own lists (add or remove users etc) and they will need to go through the helpdesk, which in turn will generate more work. Is there a way to let them still manage the lists when hidden without giving them access to AD manage users/computers etc? Thanks for any input.

Sure, we can remove these distribution groups (DGs) from GAL, and then create a special Address List to grant the access permission of these DGs to the managers only a. Firstly, add a value to one of the Custom Attributes of these DGs you want to hide via ADUC Notes: Please ensure theres no other object which will use this CustomAttribute or the value in it b. Then, go to ESM and create a new Address List for these DGs, based on the CustomAttribute to filter c. Now, enter into the Properties of the newly created Address List->Security tab, and remove those groups which users will require, like Anonymous Logon, Everyone and Authenticated Users. And then, add the group that contains the managers who need to modify the DGs Notes: Please ensure that the managers arent the member of any inherited admin groups in the Security tab of the newly created Address List d. Please create a new GAL if you only have the default GAL that created during the exchange installation, since we need to reapply the filter rule on the GAL a) Firstly, we create the new GAL and add all the objects we need to show in the GAL, including these DGs as well b) After created the new GAL, we go to the Properties of it and copy the Filter rules to a notepad, like below: (&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList) )))) c) Now we filter out these DGs, like below: (&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(&(objectCategory=group)(!extensionAttribute1=test))(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList) )))) Notes: Here the extensionAttribute1 is the CustomAttribute1 in ADUC d) Then, we enter the Properties of newly created GAL again. In the General tab, click Modify button e) In the drop-down list of Find field, choose Custom Search, in the Advanced tab, enter the modified rule and click OK e. Please remove the default All Groups Address List since it will show all DGs. If you want to keep this Address List, please remove and recreate one by using the filter rule likes below. The procedure is same as step d (& (mailnickname=*) (& (objectCategory=group) (!extensionAttribute1=test))) f. Finally, we need to put the modified GAL into the OAB, and use this OAB in the mailbox store via ESM. Eventually, regular users wont see the restricted DGs and the restricted Address List via their Address Book in the outlook Notes: However, this method wont work for Outlook Web Access (OWA). In OWA, you can view all address lists in AD, regardless of the permissions that are set on the address list. In order to hide these DGs against regular users via OWA as well, we must add the value of distinguishedName attribute of modified GAL into the msExchQueryBaseDN attribute of regular users, please refer to KB 817218 Notes: I suggest you to test the method above in the lab at first before using in the product environment Resources: ADModify.NET is here! (We can use this tool to modify the Custom Attributes of the DGs and msExchQueryBaseDN attribute of regular users in bulk) LDAP Search Samples for Windows Server 2003 and Exchange 2000/2003 LDAP Query Basics

Hi James,I read your article & want to discuss my requirements. We have a Mixed Exchange Setup of Exch 2k3 & Exch 2k7, we are in process of migrating mailboxes to Exch2k7. We have one root & 5 child domains, Exchange 2k7 is in root doamin. Our requirement is to filter out unnecessary DLs from GAL but these should be visible in ALL Groups, for this I have done the testing in lab & have modfied the GAL with the recipient filter below;Default GAL Filter is ((Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder')))& the modified one is ((Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))) -and (CustomAttribute1 -ne '1')}Only thing which we have to do is to set Custom Attribute to 1 for each DL which we want to filter out from GAL.Is it the right way to do if we have Mixed Exchange Setup as well as OCS is installed. Does it breaks anything in Exchange if we modify the Default GAL.Regards,Osman