Segregated Address Books, GAL and OAB with Exchange 2010
Segregated Address Books, GAL and OAB with Exchange 2010
Quick:
Thanks for the question. The approach is pretty simple, and here are the steps:
- Can’t rely on GAL functionality, as that is a global address list, so delete or don’t use it
- Note that some antivirus systems, etc require the GAL to still exist, in this case just don’t use it or publish to end users (we found this to be true with Sunbelt Vipre for Exchange)
- Create custom address lists for each organization or “group” you want to have an individual address list
- In this case we had users in the same domain, so we separated them into an OU per company
- The trick is to properly assign users to the right address list, and the criteria for creating and updating the address lists is best based on one of the AD attributes on their domain account. In our case I chose to use the actual “Organization” field, but you could use any field really.
- The scripts described [in blog] do two things:
- Update the “Organization” attribute for accounts in a given OU
- Updating address lists per users with the specified attribute
Detailed:
I cam across a scenario where we wanted to host multiple organizations on a single Exchange platform, which equates to a hosted Exchange environment. This works great in general, because each organization can be assigned it's own database. The area where this is weak from Microsoft is the ability to partition or segregate Address books (GAL, OAB), so users in each company don't see the users in the others.
Microsoft doesn't have a simple solution for this, but it is possible and Microsoft put together some good directions on how to do this with Exchange 2007: http://technet.microsoft.com/en-us/library/bb936719(EXCHG.80).aspx
Most of the guide is fairly straightforward, as the basic premise is to delete all of the default global address lists and then create new address lists to which only specific OU's ("Companies") have access and visibility to.
I had to tweak a few commands for this environment, but the only real sticking point we had was at the end, where it's necessary to set attributes on every user object. This is also something that needs to be done for every new user.
Here is a script that works in lieu of the Microsoft one that doesn't; this is run nightly to keep everything up-to-date:
#update all address lists
get-addresslist | Foreach { $CurAddr = $_.Name ; update-addresslist $CurAddr ;}
#update all global address lists
get-globaladdresslist | Foreach { $CurGAL = $_.Name ; update-globaladdresslist $CurGAL ;}
#update all offline address books
get-offlineaddressbook | Foreach { $CurOAB = $_.Name ; update-offlineaddressbook $CurOAB ;}
#update all OAB files
get-mailboxserver| Foreach { $CurServ = $_.Name ; update-filedistributionservice $CurServ -type OAB ;}
#update all users in OU with the correct OAB
get-mailbox -organizationalunit "Company1" | set-mailbox -offlineaddressbook "Company1 OAB"
#update all users in OU with the AD attribute pointing them to the correct container for their address lists
get-user -organizationalunit "Company1" | Foreach { $dn = "LDAP://" + $_.distinguishedname;$obj = [ADSI]$dn;$obj.msExchQueryBaseDN = "ou=Company1,ou=companies,dc=domain,dc=com";$obj.setinfo()}
Printer-friendly version
Send to friend- Login to post comments
Testimonial
“New data centers will need to behave like living organisms. They will need to be flexible, modular and readily adaptable to changing IT infrastructure and economic cost models.” - Gartner
Tech Insights
...the greatest service any consultant, and by extension consultancy, can do is to develop and communicate ideas. Sure, we deal in time, people, experience and knowledge, but ultimately the measure of our value is in the ideas we bring to the table. These aren't just any ideas...
Brett Coover CTO, CCIE #11918