Using Address Book Views in Exchange Server
ABVs let you group mailboxes into a set of logical containers independent of the container in which they physically reside, and you can hide these views from other groups in the GAL.
December 31, 1998
Companies usually set up an Exchange Server system as a private email system for a particular organization. However, some small companies can't justify having a separate Exchange server. What can they do? One option is to let one Exchange server host several companies by using Address Book Views (ABVs).
ABVs let you organize your mailboxes into a set of logical containers independent of the Exchange site or recipient container where the mailboxes physically reside. ABVs can be invaluable. For example, suppose two small firms reside in one building. You can set up one Exchange server and let employees from both companies access the server simultaneously. The employees won't know they're sharing the server with the other business. ABC employees who access the Exchange Global Address List (GAL) see only the employees from ABC; when XYZ employees view the same GAL, they can see only associates from XYZ. All recipients are in the GAL, but Exchange Server selectively hides or displays names, depending on who is accessing the GAL.
In this ABV article, I'll first describe how to set up a typical configuration. I'll then show you how you can use the functionality to hide certain mailboxes from others within the same company.
Setting Up ABVs
To set up ABVs, you need Exchange Server 5.0 or later. Setting up a typical ABV configuration involves three steps.
Step 1: Create NT groups. In Windows NT, use User Manager for Domains to create the necessary groups. For example, building on the two-business scenario, suppose ABC has 7 employees, and XYZ has 16 associates distributed evenly among four departments (Sales, Marketing, Finance, and Executive). In User Manager for Domains, create a new group account and add all domain user accounts from their respective companies. Hence, you have both an ABC group and an XYZ group.
Depending on which domain model (i.e., single domain, master domain, multiple master domain, complete trust) is in place, you can create either local or global groups for this procedure. However, because Microsoft recommends running Exchange Server on a member server, I recommend creating local groups and nesting the corresponding global groups from the domain controller under these groups. For more information about NT groups and domains, see Michael D. Reilly's Windows NT Magazine articles "Windows NT Group Strategies" (August 1998) and "Domains and Trust Relationships" (September 1998).
Step 2: Create ABVs and Address Book containers. First, be sure you have assigned all recipients to their respective company and department. You can verify the assignment on the General tab of each recipient's property sheet. For example, Screen 1 shows that Juli X. Nimitz is an XYZ employee and a member of the Sales department. For ABVs to work correctly, you must designate attributes consistently. If one administrator enters Marketing for a department and another administrator enters MKTG, you will end up with two ABV containers, instead of one common container.
Next, group recipients by creating ABVs so you can logically bundle recipients with similar attributes into one administrative unit. In Exchange Administrator, go to File, New Other, Address Book View. On the General tab, enter the display and directory name. Usually, you use a name that describes the attribute by which you want to group. On the Group By tab, select the attribute. You can organize mailboxes by as many as four attributes from eight standard attributes (City, Company, Country, Department, Home Server, Site, State, and Title) or any custom-defined attribute. Screen 2 shows an ABV I called Company View, grouped by the Company attribute.
Nested inside the ABV are Address Book containers. These containers are subgroupings that Exchange Server creates automatically when you define the attribute you want to group by in the ABV. As Screen 3 shows, the ABV called Company View contains two subcontainers (ABC and XYZ).
The process that creates these subcontainers on the fly is the View Consistency Checker. The VCC runs in the background and operates periodically (usually every 5 minutes). The VCC scans the recipients in the GAL and matches criteria based on the ABV. In this case, any recipients who have the Company field populated will cause a corresponding Address Book container, or child-view, to appear under the ABV.
Address Book containers are dynamic; that is, if you have a Department ABV and you define a new department attribute for a mailbox, the VCC creates a new child-view under that ABV. If you change the department of a mailbox on the mailbox's property sheet, the VCC will automatically move the mailbox to the new ABV subcontainers.
Step 3: Restrict ABVs. To control which Address Book containers an NT user can view, you need to set permissions on each ABV container. In Exchange Administrator, go to the Permissions tab of the container's Properties page. Add the appropriate NT group to its ABV container. Screen 4 shows the various rights available. This extra window doesn't appear by default. To force it to appear, choose Tools, Options from Exchange Administrator. On the Permissions tab, check Display rights for role on Permissions page. I prefer this optional window to appear, because it displays all the rights available to a particular role.
As you see in Screen 4, I have assigned the XYZ Local Group to the XYZ container and granted the group the Search role. (By default, when you assign the Search role, Exchange renames it Custom in the Role column.) This action lets only the XYZ group view the contents of this container. No other group from another company can see this container or its contents, nor can outside groups view these mailboxes when they access the GAL.
At this point, you might get an error message stating that you must first define an Anonymous account on the DS Site Configuration object before you can grant an account the Search right. This behavior is a quirk of Exchange Server: You must define an Anonymous account if you want to successfully assign the Search role. You can find this window on the General tab of the DS Site Configuration property sheet. After I defined an NT user account, I was able to assign the Search role to the NT group.
Finally, to hide each company's email addresses from the other company, restrict the Site Service Account at the Organization level to the Search role. In Exchange Administrator, select the Organization container. Go to File, Properties, and select the Site Service Account on the Permissions tab. In the Roles field, select Search, and then click OK.
If you don't hide each company's email addresses, XYZ employees can view all ABC employees' mailboxes contained in the GAL, and vice versa. I was concerned that restricting the Site Service Account might limit some administrative functions. However, I haven't found this action to produce any ill effects. Even so, Microsoft recommends that at least one other NT account at the Organization level have at least the Permissions Admin role.
The Results
Here's what happens when you restrict ABVs. Suppose Juli X. Nimitz, who is an XYZ employee and thus a member of the XYZ container, wants to use the Microsoft Outlook client to send an email message to a few of her colleagues. She composes a new message and then clicks To. Screen 5 shows what she sees.
As far as Juli knows, the GAL includes only XYZ employees, because she can't see the ABC employee names. In addition, when she uses the Show Names from the list to view other recipient containers, she can see only the XYZ Address Book container, which in this case is identical to the GAL contents. She can't see the ABC container because her NT group has Search permissions in the XYZ container only.
If you want to override a restricted view for individuals, you can assign them permission at the proper ABV property sheet. For example, if you assign the NT user account Juli X. Nimitz the role of Admin on the Permissions tab, Juli can view all users on the Exchange server.
Hiding ABVs Within a Company
In addition to hiding recipients between companies, you can hide groups of recipients within the same corporation. For this example, I'll assume that you aren't sharing a server between companies.
Suppose the CEO has asked you to hide the executives' mailboxes from everyone else except other executives. You can accomplish this task with ABVs. First, create an NT group called Executive and add all the user accounts that are members of this group. Next, on the property sheet of each executive's mailbox, enter Executive as the Department attribute. Finally, on the Permissions tab of the Executive ABV container, add the Executive NT group and assign it the Search role. This action will hide the Executive group from all other groups.
Now, assign an NT group for the company's other ABV containers (Sales, Marketing, and Finance). For instance, you can use the XYZ Local Group that contains a list of all user accounts for this firm, or you can use the system group Everyone. Finally, go to the Organization container, and assign the Site Service Account the Search role. When you complete the configuration, only the Executive group members can view all the employees; the other three departments can see all mailboxes except the Executives'.
You must be careful not to overlap permissions on separate ABV containers, because clients can view the largest ABV container of which they're members and for which they have permission. For example, if the XYZ group, which includes all XYZ employees, has permission for the XYZ container, Juli can view the Executive group's mailboxes. Even though she can't see the Executive container or its contents, she can see the Executive group's mailboxes via the XYZ container. To close this loophole, you must assign the correct permissions on ABV containers.
Configuring the Offline Address Book
The steps I outlined prohibit groups from viewing other groups on the LAN, but you need to take extra measures to ensure that offline users have the same restrictions. If you set up ABVs and containers before users perform their first synchronization of the Offline Address Book (OAB), users can download only the Address Book container that they have permission for. However, if users download a full copy of the default Recipients container before you implement ABVs, future ABVs won't restrict them from seeing all the recipients in the site (unless the users delete their local .oab files). Therefore, you need to plan and implement your Exchange organization before users download the Recipients container from the server.
To include the ABV containers, from Exchange Administrator, go to Organization, Site, Configuration, and open the property sheet for DS Site Configuration. On the Offline Address Book tab, add the ABV containers you need for each company; for example, I added both the ABC and XYZ containers, as you see in Screen 6.
Adding ABV containers to the OAB is a manual process. You must configure the containers, because a new ABV doesn't automatically become part of the OAB. In addition, remember to remove the default Recipients container in this window. If the OAB includes the Recipients container and the Recipients container holds mailboxes for mixed companies or departments, offline users can download and see users from other companies or departments, regardless of which permissions are on the ABVs.
Remember that Exchange processes the OAB only once a day, so you might want to generate a new OAB immediately after you add containers. To force Exchange to create the OAB, click Generate All on the Offline Address Book tab of the DS Site Configuration property sheet, which Screen 6 shows.
Flexibility at Your Service
Exchange Server once again proves it is extremely flexible in adapting to different kinds of business environments. Small companies that can't afford a high-powered email system can share one Exchange Server system with other firms. By spreading the cost of ownership over many companies, every company can have electronic mail at a reasonable price. ABVs make it possible without the burden of an overpopulated GAL for users.
The sidebar "Getting the Most from Address Book Views" offers some tips for working successfully with ABVs. For more information, read the Microsoft articles "Recurring Address Book Views in Exchange Server" (http://support.microsoft.com/support/kb/articles/q180/1/41.asp) and "How to Setup Container Level Search Control" (http://support.microsoft.com/support/kb/articles/q182/9/02.asp).
About the Author
You May Also Like