Using Exchange Address Book Policies to hide some users from others


The steps in this article can be used to hide some or all other users from other users using Address Book Policies (ABP) in Exchange 2010 (SP2+). This was required for one of my clients, who had some shared mailboxes that were used by an external company. They didn’t want the external company to be able to see all of their users and groups when using the shared mailboxes.

The steps below will setup a new ABP that can be applied to select mailboxes, so they have a limited view of the GAL. Mailboxes that don’t have an ABP applied to them will still use the default GAL. Following these steps won’t prevent users in the default GAL from seeing the mailboxes that have the new ABP applied to them. The quick solution for this is to just hide the mailboxes, but if this isn’t a workable option multiple ABPs will be needed. To limit users so they don’t see other users you will need to create at least two ABP and the different ABP to the different sets of mailboxes, for details on how to do this see this article by Steve Goodman: http://searchexchange.techtarget.com/tip/How-to-implement-Exchange-address-book-policies.

Basic Steps

  1. Create a new GAL for Tailspin
  2. Create a new Address Lists for Tailspin mailboxes·
    – At a minimum two Address Lists are required, one for mailboxes and another for rooms
  3. Create a new Offline Address Book for Tailspin
  4. Create new ABP and select the new GAL, OAB, and rooms list
  5. Assign the new ABP to the mailboxes, that you want to have a limited view of the GAL
  6. Set attribute(s) on the objects you want to be visible in the new ABP
    – This can done using one of the common properties, like Company, CustomAttribute1-15, or any other attributes supported by the –RecipientFilter parameter

Example PowerShell steps

Create new GAL for Tailspin:

  • This step can only be done via PowerShell, all the rest of these steps can be done in the EMC.
New-GlobalAddressList “TailSpin Global Address List” -RecipientFilter {(CustomAttribute1 -eq “TailSpin”)} | Update-GlobalAddressList

Create new Address List(s) for Tailspin:
Only one Address List is required but one can be created for each object type in Exchange if needed. This can be created from EMC or EMS.
New-AddressList “TailSpin Mailboxes” -RecipientFilter {((CustomAttribute1 -eq “TailSpin”) -and (RecipientType -eq ‘UserMailbox’))} | Update-AddressList

A rooms address list is also required when creating a ABP, so you must create one for TailSpin or you could use the default one.
New-AddressList “TailSpin Rooms” -RecipientFilter {((CustomAttribute1 -eq “TailSpin”) -and (Alias -ne $null) -and ((RecipientDisplayType -eq ‘ConferenceRoomMailbox’) -or (RecipientDisplayType -eq ‘SyncedConferenceRoomMailbox’)))} | Update-AddressList

Create new OAB for Tailspin:
New-OfflineAddressBook “TailSpin Offline Address Book” -AddressLists “TailSpin Global Address List”

Create new Address Book Policy:
New-AddressBookPolicy -Name “TailSpin Address Book Policy” -AddressLists (Get-AddressList TailSpin*) -OfflineAddressBook “TailSpin Offline Address Book” -GlobalAddressList “\TailSpin Global Address List” -RoomList “\TailSpin Rooms”

Set custom attribute on mailboxes, groups, or other objects that should be included in the new GAL:
The cmdlet below will update all mailboxes in the TailSpin OU to have CustomAttribute1 = TailSpin, which is the filter used on Address Lists created above.

Get-Mailbox -OrganizationalUnit company.com/TailSpin | Set-Mailbox -CustomAttribute1 TailSpin

Set the mailboxes to use the new ABP:
Get-Mailbox -Filter {(CustomAttribute1 -eq “TailSpin”)} | Set-Mailbox -AddressBookPolicy “TailSpin Address Book Policy”

Now if everything is setup correctly, when “TailSpin” user’s login and browse the GAL they will only see other TailSpin users.

About jasonsherry

I am a 20 year Exchange consultant and expert. I currently work for Commvault as a Solutions Specialist for Microsoft Infrastructure For more info see my resume at: http://jasonsherry.org
This entry was posted in Exchange, Microsoft, Technical and tagged . Bookmark the permalink.

2 Responses to Using Exchange Address Book Policies to hide some users from others

  1. sajid says:

    hey,
    i already install exchange 2013 in my lab. i cant set CustomAttribute on groups,contacts, and room mailbox. on users mailbox i set. can you tell me how to set CustomAttribute on groups,contacts, and room mailbox in exchange 2013 ?
    Regards
    sajid

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s