Configuring Virtual Organizations and Address List Segregation in Exchange 2007

Published Feb 06 2008 07:13 PM 4,388 Views

I wanted to specifically call out a white paper that Cathy mentioned in her February Documentation Update:

White Paper: Configuring Virtual Organizations and Address List Segregation in Exchange 2007

Over time, there have been several versions of documentation on this subject (created by both Microsoft and others) and that we have seen followed, with more or less success. I am very glad that this paper is completed. Dave Goldman announced that it was coming and talked about people that worked on it. Indeed, it is now here!

- Nino Bilic

Not applicable
Thansks for that great article. Is there an other solution for the "unsupported" configration ?. This do describes a "total segregated" configuration without the default GAL. How can i implement, that company1 is using GAL1 and AL1, company2 is using GAL2 and AL2  and the hoster and other services (fax, blackberry etc) can still use a "global GAL".
An other problem is see is the modification at the OU-Level. I understand, that the dsheuristics modification makes sense (similar zu access based enumerations ad file shares). But is it a good idea to remove permissions at OU-Level ("To accomplish this task, you must remove from each organizational unit the permissions assigned to the Authenticated Users group and the Everyone group, if it exists"). How far are be from a "standard" ?.
There should be a solution adding a GAL/AL with a filter and permissions to the GAL/AL without modifying AD-Permissions at OUs.

Are there more details to "Attempting this configuration will cause problems with the check names functionality which will prevent users from creating Outlook profiles" ?.
Not applicable
Thanks for the great article. One thing I found was the difficulty to update a large number of accounts which were already created with the msExchQueryBaseDN value. I have compiled which I hope will be helpful for others in the smae situation.

$strFilter = "user"

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = "LDAP://ou=Fabrikam,OU=Companies,DC=contoso,DC=com"
$objSearcher.SearchScope = "Subtree"
$objSearcher.PageSize = 1000

$objSearcher.Filter = "(objectCategory=$strFilter)"
$colResults = $objSearcher.FindAll()

foreach ($i in $colResults)
       $objUser = $i.GetDirectoryEntry()
$UserDN = $objUser.distinguishedName
$UserN = $objUser.Name
Write-Host "Processing User: " $UserN
$user = ([ADSI]"LDAP://DC1:389/$UserDN").psbase
$user.Properties["msExchQueryBaseDN"].Value = "ou=Fabrikam,OU=Companies,DC=contoso,DC=com"
Write-Host ""

Not applicable
After following this article I have found that each company user can no longer see any of the address lists whilst in Outlook. The following command found in the "Create a Security Group for all Hosted Groups" section seems to hide these:

Add-ADPermission –Identity “CN=Address Lists Container,CN=Contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Contoso,DC=com” –User “All Hosted Groups SG” –AccessRights ReadProperty -Properties "Open Address List" –Deny

I have double checked all the commands entered with no luck. One thing I have noticed in the article section "Modify Permissions on the Address List" the first line reads:

"Use the following procedure to modify the default permissions on the All Address Lists container."

Although there are no commands following this that actually modify the permissions on the "All Address Lists container". Is this just merely a typo or is there a command missing.

If anyone could assist with this, thanks in advance.
Not applicable
Hi there,

I have read the articles on creating a hosting env. with Exchange 2007. One issue that has nowhere been addressed is the use of the postmaster account for sending out NDR's. Essentially you want to have a different postmaster account per virtual company, so NDRs seem to be originating from With the default installation the account is postmaster@hostingorg.local (or something alike). In Exchange 2003 you could fix this with editing the IIS meta database with MetaEdit2.

How must this be accomplished with Exchange 2007 ? Postmaster accounts are now set per transport server, where in my opninion this should be per recieve connector.

Can you please tell me how to deal with this in E2k7 ? Do you need a complete transport server per virtual company ?

Thanks in advance.

Best regards,

Ronald Top
Not applicable
dyoung, this is by default. When you are a seperating your address lists your outlook client should *not* be able to see everybodies elses address list.
Not applicable
Ronald, you are not creating a hosting env by following this doc. You are segmenting your address lists for your internal company. This doc is not meant to be used for hosting other companies.
Not applicable
Dave, my problem is that we can not see *any* address lists at all. Your instructions are very good at giving the commands required to achieve the outcome. What would be good is to know what the permissions at each of the folder levels should be. I.e. Address Lists Container, All Address Lists and and then each of the address lists. This would help me find my problem using ADSIEdit.
Not applicable
dyoung, you can look at this blog for your permissions:

None of your permissions should have changed at all. You might want to consider turning up logging for MSExchangeAL and looking at your address list synchronization to see if the users are being added to their address list. You can also look at the showInAddressList attribute to see how many they are a part of and it should be the default offline address list and their company. If they make a query to the default it will fail and should roll over to their company. Make sure your groups are set up correctly.
Not applicable
Dave, I have implemented your solution. We have a question when we look at the Default Global Address List in adsiedit the Class changes  from addressBookContainer to nothing. Is this normal?
Not applicable
Hey Chris, this is 100% ok. This is because you removed the authenticated users so you no longer have rights to read that object and it still exists. If you ever need to back this solution out you can follow this blog to bring it back:

I would only reverse that if you plan in not segregating.
Not applicable
Dave I am having the problem that the Global Address Book is showing "The bookmark is invalid" when I try to address an email. How do I get my organizational AL to show up?

Not applicable
This means that you are not finding any entries in your gal. You need to make sure your address list synchronization is happening and your users are getting stamped. Check to make sure they have proxy addresses. You can also use LDP to look at your users to make sure the showInAddressBooks attribute it populated and if it is not then your users were not stamped and will not show up.
Not applicable
Thanks for the article. One big problem: when i decide to Restrict Access to the Default Global Address List; it works, but it's imposible to go back after. and it's the same with another global adress list if i change the permissions in the way you give. In adsiedit i get on the object if we want to replace back permissions the message "an invalid directory pathname was passed" So I try to replace the permissions with dcacls (/G Administrator:GAWD for example)  but no way it doesn't work. I don't unterstand why it's impossible to have permissions back and how have the global list up again.
If anyone could assist me, thanks in advance.
Not applicable
Vmax66, if you use the DSACLS "dn of object" /S command it will reset the permissions on the object back to the Schema defaults. I had the same issue and did this. You just have to wait a few minutes to see the results.
Not applicable
Thanks for your response Dyoung, but I haved already tried this and it did'nt work. So because of all the modifications I made, i kill my VM and start with a fresh one (R2-Exch2007-sp1. I test always this sort of modification before applying in prod). So I put by Adsideit on the cn default global adress list (not on the cn global adress list because of the différence of reaction between owa & outlook) the deny on authenticated users on read and open adress lists. It's work fine with no adress visible in the DGAL for the two clients (owa &outlook).
But If I want to come back with adsiedit it's not possiible with the habitual message "an invalid directory pathname was passed". So let's go with DSACLS.exe. I tried the option /S to recover the original settings it doesn'nt work with the message "The directory cannot be removed The command failed to complete successfully"  I try different setting and finally with the settings "dn of object" /N /G Administrator:RP  I get the object come back and I have just to put the permissions on open and read adress list of authenticated users to recover the original situation. Hope this expérience can help.

Version history
Last update:
‎Jul 01 2019 03:34 PM
Updated by: