We are in the process of migrating from Exchange 2007 to
Exchange 2010. We have segregated AD because we host exchange for multiple
companies. We use ACLs and msExchQueryBaseDN attribute for the segregation. Each
company has a separate GAL, Address list and OAB. After the mailboxes were
moved, the GAL appeared to be blank although the names could be resolved by
outlook. After a lot of struggle to fix it, we found out why.
Exchange 2010 SP2 uses Address book policies to segregate
the GAL access instead of the msExchQueryBaseDN attribute. So first of all we
create an address book policy for each client. You can do so in the Exchange
MMC> organization management > mailboxes > address book policies tab
> new address book policy. Create it as shown in the image below. This is required if we do not want the users to have access
to all the GALs.
Apply the policies to all the
users under COMPANY1. You have to change it for individual user if you want to do
in exchange MMC. You can do it by right clicking properties of the user
mailbox> mailbox settings tab> select address book policies and click
properties> select address book policy. Possibly can be scripted as well.
Step 2: check the permissions on the address lists for the
client.
Open adsiedit > configuration > CN = configuration,
DC=domain,DC=com > CN=services > CN=Microsoft Exchange > CN= i-worx
> CN=Address lists container
1.
expand CN= all address lists. Right click the
address list for COMPANY1. All the users in COMPANY1 should have the
following permissions
a. READ
b. Open
address list
(see image below)
2.
Under CN=Address lists container, now expand CN=
All global address lists, Right click the GAL for the COMPANY1.The
CLIENTCODE users group should have the following permissions
a. READ
b. Open
address list
(see image below)
LAST STEP
Clear the msExchQueryBaseDN attribute for all users for
company1.