Experience Exchange Sever

December 7, 2011

GAL Segregation in Exchange 2007


Note: This complete article wrote with reference of http://technet.microsoft.com/en-us/exchange/bb936719.aspx  please visit this page if you need more information in detail.

This article provides the information that you need to configure Microsoft Exchange Server 2007 with multiple address lists so different groups of users can have their own address list and secure those address lists so that groups of users can see only their specific address list.

Note: This is officially not supported in exchange 2007 but it does supported by Microsoft in exchange 2010 SP2 which was released yesterday. Before going with exchange 2010 I would like to try with exchange 2007 in my lab, finally did it.

Note: Please do not try this in exchange server 2010.  If you try to apply these steps in an Exchange 2010 environment, significant issues may occur, and it may not be possible to resolve these issues.

My Setup:

Existing domain:

Domain Name: Exmailservice.com

DC : Exch-dc-01

Exchange server 2007: Exch32-Srv-01 (all three roles installed)

New Domain:

Domain Name: Lab01.com

We consider here as the Exmailservice.com domain acquired Lab01.com, in Lab01.com there are no exchange server whereas exmailservice.com already has exchange server 2007 installed. So we are going to have linked mailbox concept here and then we will segregate the GAL for security reasons.

I’ve created forest truest between two domains and I’m able to create linked mailbox but when I logged into Lab01.com user also able to see the address list of Exmailservice.com domain as you can see here:

Before GAL segregation

Here I logged in using the Lab01 domain user(first user) who is also able to see the exmailservice.com address lists which is not recommend by our security team.

To achieve this we are going to follow the below steps:

1.      Configuring a Segregated Organization

2.      Adding a Segregated Company to the Environment

3.      Adding a New User to the Environment

4.      Post User Creation Steps

 

1. Configuring a Segregated Organization:

By default the users in exchange server 2007 can see all the address lists, you must create different address lists, GAL and offline address lists to separate them to appropriate users with the help of filter.

Preparing Your Environment for Segregated Exchange:

  • Set the dsHeuristics value
  • Create an Organizational Unit to contain all segregated virtual organization OUs
  • Modify permissions on the All Address Lists container
  • Delete the default Address Lists
  • Restrict Access to the Default Global Address List
  • Restrict Access to the Offline Address Lists container
  • Create a Security Group for all Hosted Groups

Set dsHeuristics Value:

  1. Open ADSIEdit.
  2. Expand CN=Configuration.
  3. Expand CN=Services.
  4. Expand CN=Windows NT.
  5. Select CN=Directory Service.
  6. Right click CN=Directory Service and click Properties.
  7. Select the attribute dsHeuristics.
  8. Set value to 001

Create an Organizational Unit to contain all segregated virtual organization OUs:

  1. Start Active Directory Users and Computers.
  2. In the left pane, right-click your domain (the very top object).
  3. Click New, and select Organizational Unit.
  4. Type Companies, and click OK.

Modify permissions on the All Address Lists container:

get-adpermission “All Address Lists” | Where {($_.User -like ‘NT AuthorityAuthenticated Users’) -and ($_.IsInherited -eq $false)} | Remove-ADPermission

confirm yes to apply this settings.

To delete default address lists please use below commands:

remove-addresslist “All Contacts”

remove-addresslist “All Groups”

remove-addresslist “All Rooms”

remove-addresslist “All Users”

remove-addresslist “Public Folders”

 

Restrict Access to the Default Global Address List:

To use the Exchange Management Shell to modify the security permissions on the Default 
Global Address Listfor the Authenticated Users group
 
Run following command:

Get-GlobalAddressList "Default Global Address List" | Add-ADPermission -User "Authenticated Users" 
-AccessRights GenericRead -ExtendedRights Open-Address-Book -Deny:$True

Restrict Access to the Offline Address Lists Container:

To use the Exchange Management Shell to modify the security permissions on the Offline Address Lists Container for the Authenticated Users group

Please run the below commands one by one:

Step 1:

$container = “CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration, DC=Exmailservice,DC=com ”

Step 2:
remove-adpermission $container -user "NT AUTHORITYAuthenticated Users" -ExtendedRights 'ms-Exch-Download-OAB'

Step3:

$oabContainer = "CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft 
Exchange,CN=Services,CN=Configuration,DC=exmailservice,DC=com"
 
To verify this you can run this command:
Get-ADPermission $oabContainer -user "authenticated users"
The output should be like this:

Identity             User                 Deny  Rights

Offline Address L… NT AUTHORITYAuth… False ms-Exch-Download-OAB

Offline Address L… NT AUTHORITYAuth… False ListChildren

Offline Address L… NT AUTHORITYAuth… True  ReadProperty

Create a Security Group for all Hosted Groups:

If you already created this group manually using GUI please make sure that was Security group.

Please use below command to create a new security group:

New-DistributionGroup -Name "All Hosted Groups SG" -OrganizationalUnit "Exmailservice.com/Companies" 
-SamAccountName "AllHostedGroupsSG" -Alias "AllHostedGroupsSG" -Type "Security"
 
To remove the default permission run the below command:

Add-ADPermission -Identity "CN=Address Lists Container,CN=Exmailservice,CN=Microsoft Exchange,
CN=Services,CN=Configuration,DC=Exmailservice,DC=com" -User "All Hosted Groups SG" 
-AccessRights GenericRead -Deny

Run below command:

Add-ADPermission -Identity “CN=Address Lists Container,CN=Exmailservice,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Exmailservice,DC=com” -User “All Hosted Groups SG” -AccessRights ReadProperty -Properties “Open Address List” -Deny

Note: You must modify the example DN to reflect the DN for your Address Lists container. Normally only the “DC” entries need to be modified if the Exchange installation was a “default” installation

2. Adding a Segregated Company to the Environment:

Create an Organizational Unit for the Company

  1. Start Active Directory Users and Computers.
  2. In the left pane, select the Companies OU.
  3. Right-click the Companies OU.
  4. Click New, and select Organizational Unit.
  5. Type  Lab01, and click OK.

    Create a new OU called companies

Adding a UPN Suffix:

Adding a new UPN suffix allows users of the new company to log on with a different UPN address than that used in the domain

  • Start Active Directory Domains and Trusts.
  • Right-click Active Directory Domains and Trusts (not your domain name) and select Properties.
  • ·         On the Alternative UPN Suffixes tab, type Lab01, click Add, and click OK

 

Modify the UPN Suffix attribute:

By modifying the upnSuffix attribute, you limit the domain dropdown list when creating new users in Active Directory. The list will only include the UPN of the original domain and the new suffix added below.

  • Open ADSIEdit.
  • Expand the Domain Naming Context.
  • Right click the OU and select Properties.
  • Select the upnSuffixes attribute and click Edit.
  • Enter the new company UPN suffix and click Add (Example: Lab01.com).
  • Click OK two times to close out of the properties.

Create a Security Group for the Users:

 

use powershell to create a security group:

 

  • New-DistributionGroup -Name “Lab01 SG” -OrganizationalUnit “Exmailservice.com/Companies/ Lab01” -SamAccountName “Lab01 SG” -Alias “Lab01 SG” -Type “Security”

    Create a new security group for Lab01 users

Run below command to member of all hosted groups sg:
 
  • Get-DistributionGroup -Name “All Hosted Groups SG” | Add-DistributionGroupMember -Member “Lab01 SG”

 

Making member of all hosted groups

Create a new accepted domain:

 

You must configure an accepted domain before that SMTP namespace can be used in an e-mail address policy.

MS recommends: Accepted domains are configured on computers that have the Hub Transport server role installed and on computers that have the Edge Transport server role installed. We recommend that you configure accepted domains only on the Hub Transport server role and then populate that data on the Edge Transport server by using the Edge Subscription process.

Use below command to create new accepted domain:

  
New-AcceptedDomain -Name "Lab01" -DomainName "Lab01.com" -DomainType Authoritative

Create a new accepted domain for Lab01 domain

 

After you configure the accepted domain, you must verify that a public Domain Name System (DNS) mail 
exchange (MX) resource record for that SMTP namespace exists and that the MX resource record references 
a server name and an IP address that is associated with the Exchange organization.

Create a new email address policy:

For a recipient to receive or send e-mail messages, the recipient must have an e-mail address. E-mail address policies generate the primary and secondary e-mail addresses for your recipients (which include users, contacts, and groups) so they can receive and send e-mail.

Use below command to create new email address policy:

new-EmailAddressPolicy -Name "Lab01" -IncludedRecipients 'AllRecipients' -ConditionalCompany "Lab01" 
-Priority '1' -EnabledEmailAddressTemplates "SMTP:%g%s@Lab01.com"
Using company name for filtering the objects
Results of Lab01 domain users email address
Here we are filtering the recipients using their company name. In this scenario if the user company 
name is equal to Lab01 this address policy will apply to them.

As you can see in above figures if the company name is set to Lab01 their primary email address will be 
like in second picture.

Create a new address list:

Run the following command to create Lab01 address list:

New-AddressList -Name "Lab01 AL" -Container '' -IncludedRecipients 'AllRecipients' -conditionalcustomattribute1 "Lab01"

Modify the permissions on the address list:

Important: While failure to perform this step will not allow users from one company to see the users of another company, it will allow them to see the names of the address book entries for every company from within Outlook. This will mean that all segregated users will be aware of the names of the other segregated groups in the organization.

 

Run below commands to achieve this:

Get-AddressList "Lab01 AL" | Remove-ADPermission -User "Authenticated Users" -AccessRights genericread 
-ExtendedRights "open address list" -deny:$false

Get-AddressList "Lab01 AL" | Add-ADPermission -User "Lab01 SG" -extendedrights "open address list" 
-deny:$false

Create a new Global Address List:

 

GALs define a set of rules for looking up users in a global address book—for example, by alias name, long name, group name, and so on. Use the following procedure to create a GAL for the organizational unit Lab01.

Run the following command:

New-GlobalAddressList -Name "Lab01 GAL" -RecipientFilter {(alias -ne $null -and company -eq "Lab01")}
 
Creating new GAL for Lab01 domain
 
Create a new offline address list:
 
 

To create an OAB that uses Web-based distribution for clients running Outlook 2007, run the following command:

New-OfflineAddressBook -Name "Lab01 OAB" -Server exch32-srv-01 -AddressLists " Lab01 AL " 
-VirtualDirectories "exch32-srv-01OAB (Default Web Site)"
Create a new offline address list for Lab01 users
 
Note: If you configure OABs to use public folder distribution, but your organization does not have any 
public folder infrastructure, you will receive a warning or an error resembling the following: WARNING: 
Your organization does not have a public folder tree. Only Outlook 2007 or later can access offline 
address books from a web-based distribution point, if one is configured.

To create an OAB that uses public folder distribution for clients running Outlook 2003 or earlier, run the following command:

New-OfflineAddressBook -Name " Lab01 OAB" -Server exch32-srv-01 -AddressLists "Lab01 AL " 
-VirtualDirectories "exch32-srv-01OAB (Default Web Site)" -publicfolderdistributionenabled $true

Modifying the offline address list permisssion: 

Use the following procedure to set the appropriate permissions on the Lab01 OAB. After you perform 
this   procedure, only users who are members of the Lab01 security group will be able to access the 
offline address list.

Get-OfflineAddressBook "Lab01 OAB" | Add-ADPermission -User ' Lab01 SG' -ExtendedRights 'ms-Exch-Download-OAB' -Deny:$false
Modifying the offline address list permisssion

  

3. Adding a new user into the environment:

 

  • create a mailbox  for new user

To use the Exchange Management Shell to add a single member to a distribution group

Run the following command for single user:

get-mailbox “second user” | add-distributiongroupmember -identity “Lab01 SG”

Adding single user into the environment

Run the following command for multiple users:

   get-mailbox -organizationalunit "Lab01" | add-distributiongroupmember -identity "Lab01 SG"

Modify the msExchUseOAB attribute:
 

Run the following command for single user:

set-mailbox "second user" -offlineaddressbook "Lab01 OAB"
Modify the msExchUseOAB attribute
 

Modify the msExchQueryBaseDN attribute:

Run the following command:To use the Exchange Management Shell to modify the msExchQueryBaseDN 
attribute  for multiple users

$user = ([ADSI]”LDAP://DC01:389/CN=second user,ou= Lab01,ou=companies,dc=exmailservice,dc=com”).psbase; $user.Properties[“msExchQueryBaseDN”].Value = “ou= Lab01,ou=companies,dc=Exmailservice,dc=com”; $user.CommitChanges();

Changing the msExchQueryBaseDN attribute via GUI:

 
Changing the msExchQueryBaseDN attribute

Modify the specific filter attribute:

Use one of the following procedures to modify the custom attribute that is used to identify the 
user(s)   of the virtual company (company inthis document’s examples).

For single user:

set-mailbox "seconduser" -company "Lab01"

For multiple users:

get-mailbox -organizationalunit "Lab01" | set-mailbox -company "Lab01"

4. Post user creation steps:

When the above user creation steps have been taken, the following processes must be run to update 
the Address List, GAL, OAB, and redistribute content and re-stamp files with the appropriate permissions:

·         Update Address List
·         Update Global Address List
·         Update Offline Address Book
·         Redistribute content and re-stamp files with new permissions

Use below commands to update all the address lists:

Update-addresslist "Lab01 AL"
Update-globaladdresslist "Lab01 GAL"
Update-offlineaddressbook "Lab01 OAB"
Update-FileDistributionService "exch32-srv-01" -type oab

Final result:
Final result
After login using the second user who is part of Lab01 domain we could only see the address list of those who is part of the same(Lab01.com) domain. 

  
 
Comparison between before GAL segregation and after GAL segregation:
 
Comparison between before GAL segregation and after GAL segregation
 

As you see here the above part of the figure shows address list of exmailservice domain which is not showing after our GAL segregation in the bottom of the figure.

I hope you would have enjoyed reading this, please give us your valuable feedback.

Advertisements

2 Comments »

  1. Justified the article properly, Nice… 🙂

    Comment by deep Kumar — December 8, 2011 @ 8:40 am

    • Thanks Deep.

      Comment by imkottees — December 8, 2011 @ 8:44 am


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: