Last post Apr 28, 2006 09:57 AM by jasonjoh
Apr 12, 2006 10:10 PM|kenyeung|LINK
I have been trying to set permission for managing address list following the KB acticle #822940 but without any luck. The current situation is users in one virtual organization can still see addresses from other virtual organizations in GAL.
I have no idea what i miss. I would greatly appreciate if there is anyone who can help or give a direction where to check.
Thank you very much.
Apr 18, 2006 11:52 AM|jasonjoh|LINK
Since you're following that article (manually creating separate GAL's, etc), it sounds like you are not using the HMC solution. We're really more focused on the solution here, but I'll do my best ;-)
How do these users see the addresses from the other GAL? Are they using Outlook Web Access or Outlook? If Outlook, are they connecting with MAPI or with POP3/IMAP? What are the exact series of steps the users take to "see" these other addresses?
Apr 19, 2006 12:51 AM|kenyeung|LINK
Thank you Jason. User would use outlook 2003 configured as RPC over HTTP client to connect to the exchange. Once login outlook, just opening address book, user will see all the other users from other virutal organizations. Is the original intend for this
KB is to limit the access control for address book that one user can only view addresses reside in his/her own organization? Thank you for your help.
Apr 19, 2006 10:32 AM|jasonjoh|LINK
Ok. Since your clients are using RPC/HTTP, I'm going to assume cached mode, which means they are using an Offline Address Book (OAB). That article really doesn't touch on the whole OAB scenario.
You're going to need to create a new Offline Address List in ESM for each organization, setting them up properly to only contain the GAL's that they should. You'll then need to map these OAB's back to the individual mailbox by setting the msExchUseOAB attribute
on the users in the AD.
Apr 20, 2006 03:47 AM|kenyeung|LINK
Thanks, I did not know the msExchUseOAB attribute had to be set. other things were done - create multiple OAB for each virtual org and set permission to allow only a particular universal security group to access.
but here is more things too, the same thing happens to outlook as MAPI client - user from one organization can see all addresses from other organizations. I know it has to be permission problem, just dont know from where it messed up
Here is more information:
Primary domain: abcdomain.com -> create an OU named Hosed -> create sub OUs to host those virtual organization (e.g., a-vir-org.com OU, b-vir-org.com OU, c-vir-org.com OU.)
after following the KB article to configure the GAL in server, user from a-vir-org.com logging in outlook can view addresses from b-vir-org.com, c-vir-org ...
Apr 20, 2006 10:23 AM|jasonjoh|LINK
Apr 20, 2006 10:10 PM|kenyeung|LINK
Apr 24, 2006 10:16 AM|jasonjoh|LINK
I'm going to set this up here and try it myself. It definitely sounds like permissions.
What article recommended deleting the default GAL?
Apr 24, 2006 09:45 PM|kenyeung|LINK
Thank you, Jason, for doing that for me. I am sorry I could no longer find the article again. BTW, would you want me to dump the currently permission list to you?
Apr 25, 2006 11:38 AM|jasonjoh|LINK
Well, looks like that article needs work. I followed the steps in it and got the same results as you: the users could see everyone.
I noticed while doing step 4.e that Authenticated Users still had an Allow checked for "Special Permissions." So, I clicked the Advanced button and went to each "Allow" entry for Authenticated Users in the Advanced Security Settings. I cleared all the permissions
I could (some are inherited from the parent and can't be modified). That cleared up the problem for me. Now users only see their GAL in online MAPI mode (non-cached).
Next test was cached mode. That worked right too!
Final test was RPC/HTTP mode, and it worked right as well.
So, to clarify, in the Advanced Security Settings for the default GAL, you should see only 2 entries for Authenticated Users:
Hope that helps!
Apr 27, 2006 09:53 PM|kenyeung|LINK
Thank you, Jason, I greatly appreciate your help. I have one question to ask though, I was following this article (http://www.msexchange.org/pages/article_p.asp?id=731) as a cross reference. I wonder if removing all the permission for Authenticated Users
will prevent the user from resolving his/her name when creating profile for the first time.
May I ask what access permission it looks into when user tries to resolve his/her name for the first time: based on Authenticated User access permission or other names and what name takes precedence. Thank you
Apr 28, 2006 09:57 AM|jasonjoh|LINK
You should be fine. I tried creating new profiles after removing those permissions and it worked fine for me. Remember, I didn't remove ALL permissions..there was an inherited "List Contents" right for AU.
However, I don't think it should matter..if the permissions are set correctly, then name resolution should occur against the address list that the user has access to.
I'm not sure definitively what permission is required for name resolution during the profile creation process, but I can tell you that in my test setup, AU has the following on the hosted GAL:
My assumptions is that you probably need almost all of these (you probably don't need Read Permissions) in order to read the address list.