We have an Enterprise Lync 2010 server environment in place, and are using msRTCSIP-GroupingID to restrict address book lookups. We are now looking to restrict presence viewing to only user within the same OU. In other words it should not be possible to see the presence of a user outside of your own OU, unless that user allows it explicitly.

It seems that the Multitenant pack for Lync can arrange that, but it's just not feasible to install that when you already have an active Lync environment in production. Is it possible to achieve this separation another way? Maybe with msRTCSIP-TenantId? (which is already available in our current schema)

I think, the only way is to use ethical wall.

http://www.multiux.com/products/multiux-ethical-wall-for-lync.html

http://windowspbx.blogspot.de/2012/07/controlling-who-has-what-access-to-who.html

Hi,

Agree with Holger, you may try ethical wall.

ethical wall is a third party tools used for this purpose only. Agree with both.

So it's impossible to achieve this without a third party tool? For example by changing permissions on OU's or some other way?

Purchasing an ethical wall solution is quite expensive...

Hi,

Using the GroupingID will completely separate the users into unique address books. But searching by SIP URI will always work and you cannot prevent the users from communicating with other Lync users in the same organization. If you want to restrict presence viewing to specific users, you can try ABS Configuration Tool.

http://www.justin-morris.net/how-to-hide-users-from-the-lync-address-book/

Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.

Hi,

The groupingID attribute will separate the address book without problem, but when I send a mail to another customer in the same AD they can see my presence in Outlook. Even when I have not been added to their Lync address list. I'd like to prevent this from happening.

I dont know if privacy mode could be helpful to you, but you can try.

http://technet.microsoft.com/en-us/library/gg399028(v=ocs.14).aspx

Restrict to show your presence only to users in your contact list.

No unfortunately with that option it can only be turned on and off globally or per site. We need te control this like addressbook with msrtcsip-groupingid.

For example users in OU A can always see all users in OU A, but usera in OU A cannot see users in OU B, unless they explicitly allow them to see them. 

I'm now looking for an ethical wall solution that can do this, but haven't found one yet that can do exactly this.