Re: OFFLINE ADDRESS BOOK SECURITY ISSUE

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Dave, I appreciate the help and patience, but I don't understand what exactly
you are suggesting I test. The filters seem to work fine when I preview them
and when users use them in non-cached mode (i.e. in terminal services).

"Dave Goldman [MSFT]" wrote:

It looks like your filters are not working properly and they are just
getting a copy of the gal and this is why I suggested the test. If they
truly were filtered you should not have this problem.

Dgoldman

"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C1FF5302-76F9-46D4-B284-D6C0660A17A2@xxxxxxxxxxxxxxxx
I'm sorry, but I need you to explain a little bit. I'm only having the
trouble when users turn on cached mode. Are you saying this can't be
done?

"Dave Goldman [MSFT]" wrote:

Because users running in Online mode are pulling from the GAL directly
which
you can not really restrict as much as you want without breaking the
functionality for the Outlook clients. If you restrict it to far you will
start getting BOOKMARK_NOT_FOUND errors, check names errors, etc.

Dgoldman

"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E0542C13-2594-46AF-8235-B9E313B357DC@xxxxxxxxxxxxxxxx
Thanks Dave, let me give some more info here because I believe I've
done
all
of this.

1. I do have multiple Address List restricted by security groups
2. I have multiple OABs that have a particular Address List associated
with
it, also restricted with ACLs
3. I have a script that sets the UseOAB property, so I'm not too
worried
about that
4. The Outlook clients do not see any of the Address Lists under All
Address
Lists because I've removed them

My question is, with this setup, why can a user running in non-cached
mode
can see what I want them to see, but in cached mode they see
everything?
The
OAB that they can access is restricted by ACL and only has one address
list
associated with it.

I'm pretty stuck as you can tell.

"Dave Goldman [MSFT]" wrote:

The global address list is a compilation of every object being that is
reads
right from the active directory. If you have created separate address
lists
that are filtered and then acl'ed off of the GAL you should have no
problems. The reason why this is working in Online mode is you are
going
right to the active directory for the data and the acls are being
evaluated
on the ad containers way before the data is given back.

Using the msExchUseOAB key only forces a user to download a particular
oab.
You might want to try using something like custom attribute 10 with
something and then building that OAB based on that filtered search,
then
have the users download that one. You also cant lock down the gal too
much
otherwise you will break check names functionally.

Just to let you know the Microsoft Hosting solutions is your best bet
if
you
are going to be hosted as self hosting is somewhat de-emphasized due
to
the
complexity of it.

You can create a new security group
Create a new user
Populate attribute 10 with something like "Test OAB"
Build a new OAB using a new filter and search for attribute 10
Rebuild that OAB
Make sure that you either have all of those users on the same mailbox
store
and associate that new OAB with that mailbox store so you don't have
the
nightmare of changing the msExchUseOAB attribute for everyone, or do
it
for
everyone.
Have that new user log in and you will see that this works.

Also you can not stop an Outlook client from seeing all of the address
lists
in the Outlook drop down pane unless you remove all of the read rights
for
the fact that Outlook builds a list of address lists it can use and
will
choose the first one.

Dgoldman

"Dan" <Dan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4AE8F721-10BC-4C3C-8492-F64058621F2B@xxxxxxxxxxxxxxxx
Hello. I am running Exchange 2003 SP2 on Windows 2003 R2. I have
multiple
GALs in order to secure off certain employees, and that works just
fine;
users only see the people in their GAL. The problem I have is that
when I
configure offline folders, users can see EVERYONE. I have secured
the
OAB
and the GAL so that only the respective security groups can see
their
address
list, but the OAB doesn't seem to respect those permissions. I have
also
set
the UseOAB property through adsiedit, but it still doesn't work.

Any suggestions?









.

Relevant Pages

  • Re: OFFLINE ADDRESS BOOK SECURITY ISSUE
    ... If you restrict it to far you will ... The Outlook clients do not see any of the Address Lists under All ... OAB that they can access is restricted by ACL and only has one address ... GALs in order to secure off certain employees, ...
    (microsoft.public.exchange.admin)
  • Re: OFFLINE ADDRESS BOOK SECURITY ISSUE
    ... It looks like your filters are not working properly and they are just ... The Outlook clients do not see any of the Address Lists under All ... OAB that they can access is restricted by ACL and only has one address ... GALs in order to secure off certain employees, ...
    (microsoft.public.exchange.admin)
  • Re: OFFLINE ADDRESS BOOK SECURITY ISSUE
    ... If you restrict it to far you ... The Outlook clients do not see any of the Address Lists under All ... OAB that they can access is restricted by ACL and only has one ... GALs in order to secure off certain employees, ...
    (microsoft.public.exchange.admin)
  • Re: OFFLINE ADDRESS BOOK SECURITY ISSUE
    ... trouble when users turn on cached mode. ... The Outlook clients do not see any of the Address Lists under All ... OAB that they can access is restricted by ACL and only has one address ... GALs in order to secure off certain employees, ...
    (microsoft.public.exchange.admin)
  • Re: Low priority MX matching primary MX to reduce spam?
    ... can be used to train your content filters. ... lists of legitimate non spamtrap email addresses. ... Such as when your legitimate machines' load ... negative net loss and at worst self defeating. ...
    (comp.mail.sendmail)