Re: Hiding the GAL
From: Dean (deanbo21_at_yahoo.co.uk)
Date: 10/27/04
- Next message: Al Smith: "Re: Exchange 5.5"
- Previous message: Lee Li [MSFT]: "RE: Built-In Reporting"
- In reply to: Dean: "Re: Hiding the GAL"
- Messages sorted by: [ date ] [ thread ]
Date: 27 Oct 2004 05:11:29 -0700
Glen
Disregard the last post. I have worked through it again and have
managed to get it working.
1. I went into the security section of the new GAL and removed
inherited permissions. I then copied existing permissions.
2.I removed the Authenticated Users and Everyone groups from the
security section of the new GAL and added the necessary Security
Groups with Read, List and Open Address Book rights.
3. When loggin in as a Student, I see only student entries under
Global Address List. When loggin in as a member of Staff, I only see
staff entries. Exactly what I was after.
Thanks for your assistance.
Regards
Dean
deanbo21@yahoo.co.uk (Dean) wrote in message news:<3ed225a4.0410260037.57d7d381@posting.google.com>...
> Glen
>
> Thanks so far. I have created a Staff GAL and have set the filter on
> it. I have then taken off inheritance permissions , removed the
> everyone and authenticated users groups and assigned the necessary
> Staff security groups. When logging on as a member of the Staff
> security group, I cannot see the new GAL object in the address book.
> The only GAL is the default GAL.
>
> 1. Is there something else that needs to be done to make the GAL
> appear?
> 2. Are there specific rights that need to be assigned? I have
> assigned Read, Write and List rights.
>
> Thanks, once again, in advance.
>
> Regards
>
> Dean
>
> PS. The first link appears to no longer be availalbe on MS's website.
>
>
> "Glen Trafford" <glen@beehivesystems.com> wrote in message news:<clfo52$1vva$1@otis.netspace.net.au>...
> > What you want to create is two separate Global Address Books (GAL) one with
> > students in it and the other with staff in it.
> >
> > Create two security groups that contain staff and students (you probably
> > have something that you can use already).
> >
> > Create another Global Address object (or two if you want to keep the
> > original GAL), modify the query so that it only finds the students or staff
> > as required.
> >
> > - We found that we had to use security groups to control access between the
> > two groups of users in a similar situation to yours, which is obvious, but
> > then found that we still needed to filter them when doing AD queries. We
> > found it was simpler to user a custom attribute that contained a single text
> > value rather than looking at group membership or OU as search starting
> > point. This made it extremely easy to create the two GAL queries as we just
> > did it on the value in custom attribute X. It also allowed as to apply this
> > to the other Exchange mail objects - like public folders, distribution
> > lists, contacts and split these between the two groups as well. -
> >
> > You will need to remove the default permissions (giving everyone access) to
> > both GAL's and add the security group that is for each GAL.
> >
> > Note: if a user has access to both GAL's they will get the one with the
> > largest number of objects in it.
> >
> > Note: If the user is not in one of the security groups AND does not in our
> > case have the custom attribute set they will not be able to resolve their
> > name in the GAL and will not be able to create an Outlook Profile. So
> > helpdesk and user admin people need to be aware of this.
> >
> > You can leave the default GAL as a super list of everyone both Staff and
> > Students. Very useful for support staff. Or you could make a business
> > decision that Staff can see all, but students can only see students. Anyway
> > remove the everyone group from this list.
> >
> > Also you will need to do it for the All Groups address list as well. Just
> > because it isn't in the GAL doesn't
> > stop it (in this case) from being included in address lists lower down. This
> > will probably leave a stub folder that each user can see but not open. They
> > will not be able to open it as you will have set permissions on it. But
> > because of the permissions on the container above it still gets listed. To
> > hide it completely you need to take a few more steps:
> >
> > 1. In ADSI edit go to cn=directory service, cn=windows nt, cn=services,
> > cn=configuration, dc=DOMAIN Goto properties to the dsHeuristics attribute
> > and set this as 001.
> > 2. Go to the Address Lists container in ADSI edit, under the configuration
> > container in the Exchange Org, remove authenticated users permissions on the
> > security tab and apply. Then go to the advanced security page and add
> > authenticated users and CHOOSE "This Object Only" and grant List Objects,
> > List Contents.
> > 3. Go to Exchange System Manager to the All Addresses Container. Properties
> > , advanced security Add authenticated users "this Object Only" select List
> > Object.
> > 4. Create address list and apply permissions on who you want to see it.
> >
> > Also you need to configure another Offline Address Book so that one for
> > staff and one for students.
> >
> > These links outline most of the steps (except the stub address lists):
> > You can create multiple GALs using this article:
> > http://support.microsoft.com/default.aspx?kbid=318635
> >
> > Also create address lists for both companies and set security on the lists:
> > http://support.microsoft.com/default.aspx?scid=kb;EN-US;319213
> >
> >
> >
> > Glen
> >
> >
> >
> >
> >
> >
> > "Dean" <deanbo21@yahoo.co.uk> wrote in message
> > news:3ed225a4.0410220408.3fd048ee@posting.google.com...
> > > We run a college environment and have just recently implemented
> > > Exchange 2003 for Students. The problem is that all student users
> > > appear in and can view the Default Global Address List. I have read
> > > various posts on removing access to the Default GAL but none have
> > > worked. The idea is to hide the Default GAL from Students and Staff
> > > and then create two seperate address books for the required groups.
> > >
> > > I have carried out the following tasks after reading a couple of
> > > posts:
> > >
> > > Remove inheritence of rights from the Default Global Address List.
> > > Under advanced properties, I denied List Contents and List Object to
> > > the Authenticated Users Group. I also cleared the Read check box. I
> > > also cleared all check boxes under the Everyone group. When loggin on
> > > as a Student or member of staff, I can still see the contents of the
> > > GAL.
> > >
> > > The only way to remove the contents is to deny Open Address Book. The
> > > problem with this is that profiles cannot be created as Outlook cannot
> > > resolve the name to an address book.
> > >
> > > Can anyone give me some more insight as this is driving me mad.
> > >
> > > Thanks in advance.
- Next message: Al Smith: "Re: Exchange 5.5"
- Previous message: Lee Li [MSFT]: "RE: Built-In Reporting"
- In reply to: Dean: "Re: Hiding the GAL"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
