GAL segregation based on Organizational unit (OU)
Creating a GAL based on OU filter is not an easy task.
I was recently working on an issue to segregate the GAL based on OU because of multiple domains hosted in a single AD Forest
There are multiple ways of doing the segregation using ldap query and using different attributes but this option sounds me very easy and simple.
Open Adsiedit.msc
Browse to Configuration–> CN=Microsoft Exchange –> CN=ORG –> CN=Address Lists Container –> All Global Address List –>
Right click Global Address List and go to Properties.
Look for the Addribute name MsExchSearchBase and add the OU in the following format
CN=Users,DC=Domain,DC=Domain.
Check the screenshot.
Click apply, then ok. Close Adsiedit. Now this Gal will be restricted to this OU.
To make it more useful let us take a situation. You are into an issue where the requirement is to make an external contact visible in group membership from outlook and not visible in GAL. Microsoft has confirmed that this is a product by design if an object is selected “hide from Exchange Address Lists” and this is a member of a distribution Group then this object will receive the email, will be visible the distribution group membership in OWA but it will not be visible in outlook in the distribution group membership. So we need a work around to make our customer happy.
Follow the steps:
- Created the group 123 in the Users OU.
- Created the User TestGAL1 in the Users OU.
- Created the contact testgc2 in the Users OU
Created the contact tg3 in test container
Configured msExchSearchBase attribute with the value Users ou DN.
Tested in the outlook
-123 is the group
-Tg3 is the contact in the non searchbase OU which is showing as member of the DL but not showing in the GAL.
MsExchSearchBase is one the nice and simple attribute which allows you to restrict you GAL query.
Prabhat Nigam
Team @MSExchangeGuru
January 23rd, 2013 at 11:39 pm
Excellent
July 11th, 2013 at 10:48 pm
Does this apply to Exchange 2003?
I’ve tried with no luck.
According to “http://www.mail-archive.com/exchangelist@lyris.sunbelt-software.com/msg03895.html” this doesn’t work for Exchange 2000.
July 12th, 2013 at 1:37 am
@Ram
This article applies to Exchange 2007/10. We have never tested on 2003 but 2000 and 2003 works the same way so I am not sure.
I will try to see if I get any 2003 environment to test.
May 22nd, 2014 at 6:56 am
You need to take part in a contest for one of the best websites online.
I am going to recommend this blog!
May 22nd, 2014 at 12:28 pm
Thank you Alan
May 24th, 2014 at 2:05 am
I couldn’t refrain from commenting. Perfectly written!
May 24th, 2014 at 11:49 am
Thank you Weal
November 16th, 2015 at 11:11 am
Hi,
Thanks for the help. Though I’m facing issues segregating GAL for a few mailbox users which have same name on different domains.
e.g.
DomainA AD User Logon name=info@DomainA.com SMTP=info@DomainA.com It can only see DomainA address lists
DomainB AD User Logon name=info@DomainB.com (Pre-Windows User Logon=DomainB\info.abc) SMTP=info@DomainB.com It can see both DomainA and DomainB address lists.
All others users with different username/email are working fine. Just to add on AD for info@DomainB.com I can’t see entry for msExchAddressBookPolicyLink on Attribute Editor but for info@DomainA.com I can see Address List entry under msExchAddressBookPolicyLink. I tried to add entry manually but it didn’t make any difference.
Any help please?
Regards,
Mobin
November 16th, 2015 at 1:41 pm
You can’t assign same email address to two mailboxes.
Create an OU and move the user then exclude the OU from 1st domain’s email address policy.
November 16th, 2015 at 2:41 pm
Thanks for the reply Prabhat. These are 2 completely different email addresses as domains are different.
I’ve resolved it by reassigning the Address book policy.
Thanks
November 16th, 2015 at 2:52 pm
Good to hear 🙂
August 26th, 2016 at 1:01 am
Mobin can you please explain the below mentioned things ?
I have created 2 or more UPN in my AD, like abc.com, xyz.com. After that created OU in my AD, OU names like abc.com and xyz.com also created accepted domain in exchange 2010 server name like same.
My domain name is rnd.local.
Now my question is when abc.com mail users login in exchange OWA they can see all the address list which is default global address list.
? 1. How to set for different UPN can see only a specific address list like abc.com users mail id only not others.
? 2. How to set different password for exchange and AD.