After installing Exchange Server 2007 with Client Access Server or Unified Messaging roles some of you might have noticed a new process - MSExchangeFDS.exe started. This is the Microsoft Exchang...
Updated Jul 01, 2019
Version 2.0
Blog Post
The easiest way to achieve it is to follow these steps.
First, you have to get OAB container DN and remove default permission ACE from this object:
>$oab1 = Get-OfflineAddressBook OAB1
>$oab2 = Get-OfflineAddressBook OAB2
>$oab1.DistinguishedName
CN=OAB1,CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=FAFYFJ-dom,DC=extest,DC=microsoft,DC=com
>$container = "CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=FAFYFJ-dom,DC=extest,DC=microsoft,DC=com"
>remove-adpermission $container -user "NT AUTHORITYAuthenticated Users" -ExtendedRights 'ms-Exch-Download-OAB'
Now, add specific permissions to your security groups:
>add-adpermission $OAB1.DistinguishedName -user 'Group1' -extendedrights 'ms-Exch-Download-OAB' -Deny:$false
>add-adpermission $OAB2.DistinguishedName -user 'Group2' -extendedrights 'ms-Exch-Download-OAB' -Deny:$false
Make sure everything looks like expected:
>get-adpermission $OAB1.DistinguishedName | where {$_.ExtendedRights -match 'ms-Exch-Download-OAB'} |fl
>get-adpermission $OAB2.DistinguishedName | where {$_.ExtendedRights -match 'ms-Exch-Download-OAB'} |fl
Redistribute content and restamp files with new permissions:
>Get-ClientAccessServer | Update-FileDistributionService -type oab
Please remember however, that from now on you will need to manually assign permissions for new OAB objects.