How to Implement Address Book Policies in Exchange 2010 SP2 Effectively

Posted on March 29, 2012 | Category :Address book Policies, Exchange 2010 | 54 Comments

First will Explain what is Address Book Policy Before Going into it.

 

In Layman’s Term Every Department will See their own Global Address list

 

Commercial GAL segregation wasn’t been Supported in Exchange 2003 and Exchange 2007

It was supported in HMC 4.5 in Exchange 2007, Where you got to buy a license for it separately

In Exchange 2007 only Internal GAL segregation was supported as per the white paper

http://technet.microsoft.com/en-us/library/bb936719(v=exchg.80).aspx

In spite of more complications

Exchange 2010 Hosting was introduced But No Upgrade will be provided by Microsoft

http://blogs.technet.com/b/exchange/archive/2011/10/13/future-of-hosting-mode.aspx

 

Now Exchange 2010 SP2 is the one of the Best solution for GAL segregation commercially and internally which is more efficient and easy it implement.

 

 

You need to Perform Some Check Lists before going into implementation of Address Book Policies

 

1. Address book Policies will work only on Exchange 2010 Service Pack 2 sever.

2. Exchange 2010 should not be installed on a GC or DC , Especially Client Access Server

(Address book policies won’t work for Outlook but It will work for OWA alone,)

3.Any Client Device or Client Software access Active Directory directly  for Directory Access then ABP won’t work

Like , Outlook is hard coded to GC &

Entourage 2008

4. Outlook clients should be at least – Outlook 2007, Outlook 2010

Outlook 2003 with Latest Service pack does recognize Address book policies but we might face little complications , its my personal experience

Like , login credentials should be the exact same as the Email Credential

 

Those are the most important Check lists before you going to implement it

 

Now will Explain how to Deploy  Address book policies in Different Scenarios as per the TechNet

 

Before Getting into Address book Policies we should first plan how we are going to Segregate the users

There are Various filters you can use to segregate users ,

Refer Link -

http://technet.microsoft.com/en-us/library/bb738157%28EXCHG.80%29.aspx

But we have something called Custom Attributes

We have 14 Custom attributes where we can use to Segregate users

 

Personally , Segregation is much more easier and Easily manageable using Custom attributes

In Simple Words Experts Prefer Custom Attributes

 

Now will explain how to segregate users in the below scenario

Scenario 1: Two Separate Companies in One Exchange Organization

 

image

First we will plan to segregate the Users

For Organization A , I will use Custom attribute1

Custom attribute1 = OrgA

For Organization B ,  I will use Custom attribute2

Custom attribute2 = OrgB

 

We got to Create a Separate Address book policy for Every Organization.

Organization A people should not see Organization B People in their Global Address list

 

image

We got to Create 4 things for the Organizations to Implement Address Book Policies

1. Global Address list

2. Address list

3. Rooms list

4. Offline Address book

Once we create that we can Assign it to the Users , Every User can have only one Address book policy.

 

1. Creating a Global Address list

Need Exchange Management Shell to create Global Address list ,

 

Where users with Custom attribute 1 with value ORGA , Only they will show up in the Global Address list

 

New-GlobalAddresslist “Organization A” –ConditionalCustomAttribute1 “OrgA” –IncludedRecipients “AllRecipients”

 

image

 

2 . Creating a Address list

 

Where users with Custom attribute 1 with value ORGA , Only they will show up in the Address list

 

image

 

Creating a New Address list for ORGA users

 

image

 

Setting the Domain as Default Domain

 

image

 

Setting the Custom Attribute1 value as ORGA

 

image

 

image

Now Address List have been Created Successfully.

 

3. Creating a Rooms list

New-AddressList -Name ORGA-Rooms -RecipientFilter {(Alias -ne $null) -and (CustomAttribute1 -eq “ORGA”)-and (RecipientDisplayType -eq “ConferenceRoomMailbox”) -or (RecipientDisplayType -eq “SyncedConferenceRoomMailbox”)}

image

4. Creating Offline Address book

Have a keen look at it , Am not using GUI , Because I want to have the users see the New GAL which I have created for Organization A

Using GUI , I won’t have an option to add the New GAL created

New-OfflineAddressBook -Name "ORGA-OAB" -AddressLists "Organization A"

Created Offline address book Successfully

Am not going to use PF distribution in the OAB properties in the GUI  cause there is no Outlook 2003 clients.

If you still have it , Go ahead and check that option , Make sure you have a PF database

image

 

 

 

 

Now Going to Create an Address book Policy for Organization A users

image

 

image

 

Created an Address book policy successfully !!

 

Now will Learn how to Apply Custom attributes for Users and other Active Directory objects

 

Open Exchange Management Console – Recipient Configuration – Mailbox – Properties of User Mailbox

You can have the Custom Attribute 1 Value Set for One User for Testing Purposes

 

image

Or

You can run in Exchange Management Shell

Get-mailbox “User1” | Set-mailbox –customattribute1 “ORGA”

 

To apply for all the mailboxes

Get-mailbox | Set-mailbox –customattribute1 “ORGA”

 

To apply for the Users in a Specific Database

Get-mailbox –database “Database Name” | Set-mailbox –customattribute1 “ORGA”

Example -

Allocated OrganizationA users  in ORGA-Database

Applying the Custom Attribute in bulk for ORGA users

image

 

To Apply for one Distribution group

Get-DistributionGroup “Group1” | Set-Distributiongroup –customattribute1 “ORGA”

 

To Apply for one Dynamic Distribution Group

Get-DynamicDistributionGroup “Group1” | Set-Distributiongroup –customattribute1 “ORGA”

Now to View and Understand Better – Click on View – Add/Remove Columns

image

Choose Custom Attributes which you want to view in Recipient Configuration

image

Now you can see the Custom Attribute Values to the Assigned Users

image

 

Now we can Apply Address book Policy for a Specific User

 

Exchange Management Console – Recipient Configuration – Mailbox – Properties of User Mailbox – Mailbox Settings – Address Book Policy

image

 

To apply in Bulk for all the Users in a Database

Get-mailbox –Database “Database Name” | set-mailbox –addressbookpolicy ORGA-ABP

image

 

Now Logging into OWA as Test1-ORGA  am seeing ORGA users alone in the Global Address list

image

 

Now Logging into Outlook as Test1-ORGA am seeing ORGA users alone in the Offline Address book

image

 

 

Now Coming in to Email Addresses for the organizations

If you are planning to Give Different Domain Names for this Organizations

Custom attributes will make things Simple for us

 

First we will Create a Accepted Domain for ORGA -

image

 

image

 

Clicking on New will get the Accepted Domain Ready

Now will create a Email Address Policy where it will Stamp only for ORGA users

image

 

image

 

Now stamping Email Address for only ORGA users, CustomAttribute1 – ORGA

 

image

 

Now Choosing the Accepted Domain -

image

image

image

 

Now you can see that our OrgA users are Stamped with ORGA.com

image

 

Great !!

Now ORGA is Ready

 

Lets make the ORGB ready – Its just the same thing but am going to use CustomAttribute2 as ORGB and going to use Commands as you are familiar now

 

As We know already we need to Create 4 things for an Organization to Implement Address Book Policies

1. Global Address list

2. Address list

3. Rooms list

4. Offline Address book

 

1. Global Address list

Creating a Global Address list

Need Exchange Management Shell to create Global Address list ,

Where users with Custom attribute 1 with value ORGA only will show up

New-GlobalAddresslist “Organization B” –ConditionalCustomAttribute2 “OrgB” –IncludedRecipients “AllRecipients”

image

2. Address list

New-Addresslist ORGB-AL –ConditionalCustomattribute2 ORGB –IncludedRecipients “AllRecipients”

image

3. Rooms list

New-AddressList -Name ORGB-Rooms -RecipientFilter {(Alias -ne $null) -and (CustomAttribute2 -eq “ORGB”)-and (RecipientDisplayType -eq “ConferenceRoomMailbox”) -or (RecipientDisplayType -eq “SyncedConferenceRoomMailbox”)}

image

4. Offline Address book

New-OfflineAddressBook -Name “ORGB-OAB” -AddressLists “Organization B

 

Now will Create an Address Book Policy -

New-AddressBookPolicy -Name “ORGB-ABP” -AddressLists “\ORGB-AL -OfflineAddressBook \ORGB-OAB -GlobalAddressList “\Organization B” -RoomList “\ORGB-Rooms”

 

image

 

To apply in Bulk for all the Users in a Database

Get-mailbox –Database “ORGB-Database” | set-mailbox –addressbookpolicy ORGB-ABP

image

 

Now Logging into OWA as Test1-ORGB am seeing ORGB users alone in the Global Address list

 

image

 

Now Logging into Outlook as Test1-ORGB am seeing ORGB users alone in the Offline Address book

image

 

New-AcceptedDomain –name “ORGB.com” –DomainName “ORGB.com” –DomainType “Authoritative”

image

Now Creating an Email Address Policy

image

 

image

image

 

Great !

Now Both the Organizations are Ready

 

And They have been Segregated with Different GlobalAddresslist

 

Will Get Back with More Interesting Scenarios !!

Satheshwaran Manoharan

Exchange MVP , Publisher of CareExchange.in
I have been supporting/Deploying/Designing Microsoft Exchange for some years . If you any Questions ?. Please share you thoughts via Comments.

LinkedIn Google+ Skype 

» Tags: ,

Comments 54

  1. Santhosh Reply
    12/03/29

    you made it simple. great work!!

  2. 12/03/31

    Thanks Santhosh , More to Come !

  3. priya vardhini Reply
    12/03/31

    Great Job!!!!!!! easy to learn !!!!!!!

  4. 12/03/31

    Thanks Priya !

  5. Marcel Reply
    12/04/05

    Can you please tell me what i’m doing wrong? In OWA everything fine, but in Outlook 2010 I can see all other adress lists and Default GAL.

  6. 12/04/05

    Is Exchange 2010 installled on a DC or GC ?

    • Paul Reply
      12/04/11

      I have exchnage already installed on a DC , do i have to reinstall it? or remove DC or GC

      • 12/04/11

        Hi Paul,

        ABP won’t work , if Exchange is installed on a GC

        Get a new GC and bring down Existing GC to a DC

        or

        Exchange on GC or DC is not supported which might give more issues in the future

        Running DC promo now to remove GC . Will Screw the Exchange Server

        It better to safely uninstall in and Install Exchange which is not a GC or DC

  7. outlook transfer Reply
    12/07/06

    I go to see day-to-day some websites and blogs to read articles or reviews,
    except this webpage provides feature based content.

  8. Anthony Ide Reply
    12/08/08

    Hello,

    just a question : for ORG A you are using custom attribute 1 and for ORG B custom attribute 2.
    On this blog http://c-nergy.be/blog/?p=2113 they are just using custom attribute 1 and give it a value of ORG A or ORG B.
    Is there a different result?

    Best regards
    Anthony

    • 12/08/08

      Both should work the Same ,

      But If you want to get a Common person who should be visible on both the ORG A & B,
      -
      I wil just Fill custom attribute 1 & custom attribute 2
      -
      But if we use the Same attribute for both the ORG . we need to create a New ABP for the common person as well.
      -
      it totally depends on ur environment

      Regards
      Satheshwaran Manoharan

  9. Tom Reply
    12/10/16

    Hi – Thanks For the Posting-
    Question: When I complete step 1 Cmdlet to create GAL – I end up with an entry for that GAL Name (In your case Organization A) When you show Step 2 “Organization A” that was created in step 1 is not in there ?? – I am seeing GAL I created from Cmdlet in step 1 in the address list — can you please clarify

    Thanks.

    • 12/10/16

      Step 1
      This will Creat your Dedicated gal for Organization A
      New-GlobalAddresslist “Organization A” –ConditionalCustomAttribute1 “OrgA” –IncludedRecipients “AllRecipients”
      Step 2
      Am Creating an Sample address list for Organization A


      You can share me screen shots to admin@careexchange.in
      I can clear your confusion for sure

  10. Tom Reply
    12/10/16

    Excellent !! Have created ABP Based on this step by step —
    Only thing I had to Change was step 3. cmdlet all needed double quotes instead of single
    Thanks…SM

  11. James Reply
    12/11/12

    Hi Satheshwaran,
    Can you confirm if the creation of an additional third GAL (counting the default GAL as well) is required? Why not setup a second GAL for the additonal organisation and call it OrgB and use the default GAL for OrgA…or does it absolutely require the addition of a third GAL? what happens to the Default GAL in your scenario where you have one for OrgA and OrgB? Is it hidden? or just left alone? Many Thanks, James

    • 12/11/12

      You can Use the Default GAL, You can use Default GAL for ORGA. But ORGA users will see ORGB
      Default GAL won’t have any restriction – They will see everything. !!

      Default GAL is still alive. If you don’t apply a ABP for a user. he will look at the Default GAL.
      Like admins, I didnt apply abp for admin so that they can see everyone .

      • James Reply
        12/11/12

        Thanks Satheshwaran- in this particular scenario I am implementing, the fact that users in the default GAL (OrgA) can see the users in OrgB is needed, what is wanted, is to prevent OrgB users from seeing OrgA users…brilliant, thank you for the clarification

  12. mark Reply
    13/01/23

    thank you for posting this, it was incredibly helpful as we are trying to implement a mult-tenant exchange hosting environment. have a question…

    typically our night staff will add all new user AD account as well as exchange accounts. they know very little about exchange other then creating the account. they will not remember to add a custom attribute or assign an address book policy to each user. since we have each customer in a seperate OU, i create 2 powershell scripts. one to apply a customer attribute to each member of the OU every night, and another script to assign it an address book policy(also based on the OU). this allows new users to be created and have both attributes added to thier exchange account automatically.

    1)is there an easier way to do this?

    2)assuming all members of the OU have both the attribute and correct ABP, do you see any issues with the scripts trying to apply these values to users who already have them?

    thanks

  13. mark Reply
    13/01/28

    thanks

  14. 13/02/11

    Hello :)

    First, thanks for this great Tutorial!

    I did it like you, but all addresses will be show… I think it loads the Default Global Address List and not the organisation-specified GAL… I have install exchange on my DC, because i have only one VPS Server… Can you help me? :/

  15. Sami Reply
    13/03/02

    Bravo!!
    Great tutorial!
    Works perfect.

  16. Keith Reply
    13/03/15

    I followed your steps and it worked perfectly. Thank you!

    So I copied your syntax verbatim and just changed the names to suit my needs. Here’s my situation – I have 5 users in ORGA, but only 1 of them is assigned to the ORGA-ABP. That 1 user only sees himself in the list of users in the OrgA GAL. Once I add the other 5 users, then he sees all 5. This did not happen when I recreated your example – it only happened when I change the names. Any ideas?

    • Keith Reply
      13/03/15

      I resolved this on my own. I used the Update-GlobalAddressList command on my new listed after everything was created and that seems to resolve this.

      Great article – Thank you!

  17. 13/04/10

    Just desire to say your article is as astounding. The clearness on your publish is just cool and i could assume you are an expert on this subject. Fine with your permission let me to seize your RSS feed to stay updated with imminent post. Thanks one million and please carry on the enjoyable work.

  18. 13/05/09

    Great article. Saved me a lot of time trying to get the Address Lists created from shell. And now I have a much better understanding of how ABP’s work.

  19. 13/06/06

    Hi!
    Great article!
    I saw this article on customattribute and multivalues
    http://www.msexchange.org/kbase/ExchangeServerTips/ExchangeServer2010/ManagementAdministration/Multi-ValuedCustomAttributes.html
    Then you only need to assign 1 attribute for ORGA , ORGB for people that belongs to both?
    Haven’t done any testing yet, I’m new to this

    • 13/06/15

      you can use eq for ORG A
      and you can you AND for ORG B
      -
      Hope you getting my point , Follow my article and do lab
      so that you can understand my user

  20. 13/06/20

    Hi,
    Great step by step guid.
    I have a ABP applied to a certain OU. Is it possible for the policy to automatically be applied to any new users that get added to that OU?
    Or do you have to run the script after any new users are created?

    Thanks
    James

  21. sajid Reply
    13/08/05

    can we apply GAL Segregation on Exchange 2013 with AD on 2012 servers ?

  22. 13/09/10

    Thanks Mr.Sathesh ,

  23. Tarique Noorain Reply
    13/09/21

    Great !!

    Thanks

  24. Samir Shaikh Reply
    13/11/16

    Excellent Job !

  25. Ben Reply
    13/11/21

    This is a great read. However I ran into the following issue, when UserA accesses any item in the address list via OWA, he gets an error –
    “Access is denied. This may be because the Active Directory object doesn’t exist or the object has become corrupted or because you don’t have the correct permissions.”

    When UserA accesses the address lists via Outlook2010 and tries to view members of a group the members list is blank.

    Any ideas on where the issues exists?

    • 13/11/22

      When user does not exist in his Gal .

      But he exist in address list only

      Then he gets this . By design

      So to avoid this . Address list users should be listed in Gal

  26. asifrogers Reply
    13/12/14

    I have added an accepted domain but its not displaying while adding an emailbox from EMC 2010? It lists only the DOMAIN of DC.

    i.e. mailbox@ACCEPTEDDOMAIN is missing :(

  27. Shahrad Reply
    14/03/20

    This has been tried on Exchange 2010 SP3 Single Server.
    Wanted to ask

    Would Exchange 2010 being on a DC affect ABP to work for Outlook clients? IT does work in OWA
    Running Exchange 2010 SP3 UR5 (14.3.181.6)

    I have followed this guide, in OWA it works great, in Outlook 2007 or 2010 however it still sees Default GAL, which is all tenants domains.

    • Avdhesh Pande Reply
      14/04/16

      Shahrad,

      ABP will not work if your exchange is installed on DC. Uninstall Exchange from DC and install in on meember server.

  28. Avdhesh Reply
    14/04/16

    Great blog..followed the same in our environment..

Leave a Reply

Your email address will not be published.

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Current day month ye@r *