Configuring Virtual Organizations and Address List Segregation in Exchange 2007

Thanks for your response Dyoung, but I haved already tried this and it did'nt work. So because of all the modifications I made, i kill my VM and start with a fresh one (R2-Exch2007-sp1. I test always this sort of modification before applying in prod). So I put by Adsideit on the cn default global adress list (not on the cn global adress list because of the différence of reaction between owa & outlook) the deny on authenticated users on read and open adress lists. It's work fine with no adress visible in the DGAL for the two clients (owa &outlook).
But If I want to come back with adsiedit it's not possiible with the habitual message "an invalid directory pathname was passed". So let's go with DSACLS.exe. I tried the option /S to recover the original settings it doesn'nt work with the message "The directory cannot be removed The command failed to complete successfully"  I try different setting and finally with the settings "dn of object" /N /G Administrator:RP  I get the object come back and I have just to put the permissions on open and read adress list of authenticated users to recover the original situation. Hope this expérience can help.