Home Network Admin Hide Address Lists from OWA Users

Hide Address Lists from OWA Users


This is an interesting situation.  Let’s say you have an Exchange user account you want to setup to use OWA (Outlook Web Access), but you don’t want the user to see your Global Address List.  I can think of two cases where this would be desireable. 1. You have an Exchange server setup that has multiple organizations sharing and you don’t want them seeing each other’s lists.  2. You want to provide a lightweight email address to an unsecure inhouse computer.  Yes, you could use Express with POP3, but using OWA you won’t have local email to worry about, everything stays on the server.

Anyway, if this is what you want to do, here’s the steps:

  1. Microsoft used to have a KB article up on how to Manage Address Lists When You Host Virtual Organizations, but they removed it for some unknown reason.  However, it’s still in a web archive HERE so go there and print that out first.  I’m actually going to repeat some of the instructions here though, so that they aren’t lost forever if that archive goes down.
  2. There is a special attribute setting for users which controls how OWA searches the Address lists known as msExchQueryBaseDN
  3. In order to set this attribute for a user, you will need a tool called ADSI Edit, which is included in the Server Support Tools by default, but can be installed separately if you wish.  ADSI Edit is Here
  4. Open up ADSI Edit (adsiedit.msc) and follow these instructions:

Modify the msExchQueryBaseDN Attribute for Each User

To limit the scope of a directory service search with Outlook Web Access, set the msExchQueryBaseDN attribute on each user object. The value that is specified for the msExchQueryBaseDN attribute limits the searches and the ambiguous name resolution queries that a user can perform. Use the ADSI Edit snap-in to set the msExchQueryBaseDN attribute on a user object. To do this, follow these steps.Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

1. Log on to the domain controller as administrator.
2. Start the ADSI Edit. To do this, follow these steps:

a. Install Windows 2000 Support Tools. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

246926 Folder Listing of the Support Tools Included in Windows 2000
b. Register the Adsiedit.dll file by using Regsvr32. To do this, follow these steps:

1. Click Start, and then click Run.
2. In the Open box, type the following line, and then click OK:

regsvr32 “drive:\program files\support tools\adsiedit.dll”
c. Open Microsoft Management Console (MMC), and then add ADSI Edit.
3. In the root directory, right-click ADSI Edit, and then click Connect to.
4. In the Connection dialog box, click Domain NC in the Naming Context list, and then click OK.
5. Click a computer or a domain to log on to, and then click OK.

Alternatively, click OK to use the domain or server that you are logged on to.

6. Expand Domain NC, and then expand dc=domain,dc=com.
7. Locate and expand the appropriate organizational unit, right-click the user who you want to set viewing restrictions for, and then click Properties.
8. In the Select a property to view list, click msExchQueryBaseDN.
9. Copy the distinguished name of the organizational unit that the user belongs to, and then paste the distinguished name in the Edit Attribute box.

For example, you may paste the following: ou=customer1,dc=domain,dc=com

10. Click Set, and then click OK.

Note You can set the msExchQueryBaseDN attribute on a user object to restrict the visibility of directory entries that can be mailed that are returned by the ambiguous name resolution function and by the Global Address List find functions. You can set the value for the property either to the distinguished name of an object container (common name or organizational unit) or to an address list. In the first scenario, the distinguished name is used as the base distinguished name for Global Address List queries and for ambiguous name resolution queries. In the second scenario, the distinguished name must match one of the ShowInAddressBook values on a directory object for it to be returned by an ambiguous name resolution or by a Global Address List search.

NOTE: If your aim is to take away the entire Global Address List and leave the user with nothing to lookup at all, then set the OU to an OU that doesn’t contain any addresses at all.

If you want to deny the account any other permissions, like let’s say you want to allow it to receive email and not be able to send email, then don’t forget to set that up too.  You can do this with an Exchange SMTP Connector (google it) or if you have a front-end back-end solution like SonicWall, you can just use Outbound Filtering to achieve the same result (depends where you want to block it at).

NOTE 2:  If you’re dealing with an Outlook client, you can set Address List access using security: Go to the address book in ESM, properties, permissions, security tab, deny that security group

If you want the user not to see the lists at all then you will need separate Global Access Lists for each OU… click here


Please enter your comment!
Please enter your name here