Block Users Seeing Exchange 2010 Global Address List (GAL) – Applies to Exchange 2007 Also

Written by Allen White on February 6, 2012. Posted in Exchange 2007, Exchange 2010, Microsoft, Microsoft Outlook, Server 2008

On a recent project I was asked if I could block certain users from seeing the Default Global Address List, these users worked for the client externally sourcing business, they needed to mail on behalf of the client but the client did not want them to be able to see other users on the GAL.

Having a quick look around I thought this would be simple but I could not find a way of stopping these users from seeing the GAL.GAL segmentation is almost here for exchange hosted solutions but for onsite exchange 2010 solutions its not so simple. I found a way of doing it, Im the first to agree this is what I call a BODGE, however it does the job. So read on if you want to Block Users Seeing Exchange 2010 Global Address List.There is a video walkthrough at the end of the article.

Solution

Well bodge but it looks good. So the first thing you need to do is create a security group Call it BlockGAL. Then add the users to it who you do not want to be able to view the GAL.

Once done, on a Domain Controller, run ADSI edit.

Then Navigate to the following branch.

CN=Configuration, CN=Services, CN=Microsoft Exchange, CN=YOUR-ORG, CN=Address List Container CN=All Global Address Lists

On the right hand side you will now see your Global Address List. Right Click it and select properties then the security tab.

Simply click add and add the security group you have created andthen select deny to Read rights then voila! the users will now not be able to see the GAL.

Block users from seeing the GAL

Tags: GAL

Allen White

Allen is an IT Consultant and holds the following accreditations. MCSA, MCSE, MCTS, MCITP, CCA, CCSP, VCP 4,5, 6 and HP ASE, AIS - Network Infrastructure.

Comments (6)

Ian Jennings

March 18, 2013 at 5:29 pm | #

Hi alan,

this didnt work, i have exchange 2010.

Do you think i need to restart? its a demanding server so i can only restart at 3 in the morning.

Regards

Ian

Reply
- Allen White
  
  March 18, 2013 at 7:07 pm | #
  
  Hi Ian, no, it should not need a restart as it is a security change,has the user not just cached the GAL? this article was also created before GAL segmentation arrived, if you run Exchange 2010 sp3 you can now specify via policy what parts of the GAL users can use.
  
  Reply
- Roxanne C
  
  March 1, 2017 at 10:35 pm | #
  
  I initially had the same issue, then figured it out by placing Deny permissions on all subcontainers of Address Lists Container.
  I’m on Exchange 2013.
  
  A big thanks to the author of the post, this is awesome!
  
  Reply
IT Guy

May 2, 2014 at 3:36 pm | #

The ADSI security denials didnt work in my case for Exchange 2010 even though I’ve seen other documentation indicating it should also. tried denying @

“CN=Address Lists Container,CN=mycompany,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain1,DC=com”

“CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=mycompany,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain1,DC=com”

and also CN=Offline Address Lists & CN=mycompany OAB

what did work was on the exchange server >> IIS manager >> sites >> default web site >> OAB >> edit permissions >> security >> deny any read access to the user/group

Reply
Daniel Sølvertorp

November 20, 2015 at 10:55 am | #

This was just what I needed! Thank you. Works like a charm when you have created the GAL etc.

Reply
varun

May 18, 2016 at 8:55 pm | #

Thanks for sharing the information.
Currently, we have 2 GAL. We need to divide GAL between group.
Group 1 can see only GAL A and vice versa.
Currently we have exchange 2013 sp1.
Please share the steps and also we need to do with OAB also for MAPI connection.

Reply