Globales Adressbuch deaktivieren?
Hallo Leute,
wir haben hier einen Win2003 Sever mit Exchange 2003SP1. Da mehrere verschiedene Arbeitsgruppen, die nichts miteinander zu tun haben, ihre Postfächer auf dem Server haben, würde ich gerne das globale Adressbuch auf dem Server deaktivieren oder für die User ausblenden.
Wer weiß wie, bzw. ist das überhaupt möglich.
Danke.
wir haben hier einen Win2003 Sever mit Exchange 2003SP1. Da mehrere verschiedene Arbeitsgruppen, die nichts miteinander zu tun haben, ihre Postfächer auf dem Server haben, würde ich gerne das globale Adressbuch auf dem Server deaktivieren oder für die User ausblenden.
Wer weiß wie, bzw. ist das überhaupt möglich.
Danke.
Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 8778
Url: https://administrator.de/forum/globales-adressbuch-deaktivieren-8778.html
Ausgedruckt am: 24.12.2024 um 13:12 Uhr
7 Kommentare
Neuester Kommentar
hallo lutz
Schau dir mal diesen Artikel an...
How to Manage Address Lists When You Host Virtual Organizations
PSS ID Number: 822940
Article Last Modified on 7/17/2003
The information in this article applies to:
Microsoft Exchange Server 2003 Standard Edition
Microsoft Exchange Server 2003 Enterprise Edition
IN THIS TASK
SUMMARY
How to Create Multiple Global Address Lists
How to Change Security on Global Address Lists
Change the Security on Each New Global Address List
Modify the msExchQueryBaseDN Attribute for Each User
SUMMARY
This step-by-step article describes how to create Global Address Lists and how to set security levels on the Global Address Lists so only specific groups can view them.
When you use Exchange 2003 in a hosting environment, you must create multiple Global Address Lists. The address lists typically have different user accounts listed in them based on the Lightweight Directory Access Protocol (LDAP) filter that you create. By default, all the users in the Exchange 2003 organization can view all the defined Global Address Lists. This may not be acceptable in some situations; for example, it would not be acceptable at a company that that serves as an e-mail host for other companies. However, you can restrict access to a particular set of users for specific address lists.
back to the top
How to Create Multiple Global Address Lists
Note In the following steps, the term "virtual organization" refers to a company that you create a Global Address List for.
In the procedure that describes how to create Global Address Lists, step 1 and step 2 must be performed by an administrator. To create Global Address Lists, follow these steps:
Log on as an administrator.
Create an organizational unit for each virtual organization, and then create a global security group in the same organizational unit.
Add all members of each virtual organization to the global group that you created for that virtual organization in step 2.
To change the security of the default Global Address List to help make it inaccessible to users, follow these steps:
Start Exchange System Manager.
Expand Recipients, and then expand All Global Address Lists.
Right-click Default Global Address List, and then click Properties.
Click the Security tab.
In the Name section, click the Authenticated Users group, click List Contents under the Permissions section, and then click to select the Deny check box.
In the Permissions section, make sure that the Allow check box for Read is not selected.
In the Name section, click the Everyone group, and then make sure that none of the Allow check boxes are selected under the Permissions section.
Click Apply.
When you receive the following message, click Yes, and then click OK:
Caution! Deny entries take priority over Allow entries, which can cause unintended effects due to group memberships.
Create a new Global Address List for each virtual organization, and then give each new Global Address List a filter that identifies the users who belong to that virtual organization. To do this, follow these steps:
Right-click All Global Address Lists, and then click New Global Address List.
Type a name for the new Global Address List, and then click Filter Rules.
Click the Advanced tab.
Create a filter criterion for group membership. To do this, follow these steps:
Click Field, click User, and then click Group Membership.
In the Condition box, click Is (exactly).
In the Value section, type the name of the group that you are creating the filter for in the Distinguished Name box, and then click Add.
Click Find Now.
Click OK, and then click Finish.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
321723 XADM: How to Create an Address List Based on Group Membership
Repeat steps A through E for each Global Address List that you create for a virtual organization.
back to the top
How to Change Security on Global Address Lists
Change the Security on Each New Global Address List
Follow these steps to permit members of the virtual organization to see members of that Global Address List and to prevent all other users from seeing those entries.
Note This procedure works for Post Office Protocol version 3 (POP3) and for Internet Message Access Protocol, version 4rev1 (IMAP4) clients only if you use organizational units (and not alternative criteria such as department or office location) to manage people.
In Exchange System Manager, right-click the new Global Address List, and then click Properties.
Click the Security tab.
Click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then copy the existing permissions when you are prompted to do so.
In the Name section, click the Authenticated Users group name, and then make sure that the Allow check box is not selected for either Read or List in the Permissions section.
Click Add, click the global group that corresponds to the appropriate virtual organization, and then add it to the list.
In the Permissions section, click to clear all permissions except Read, Execute, Read Permissions, List Content, Read Properties, and List Object; and then click OK.
When you receive the following message, click Yes, and then click OK. Caution! Deny entries take priority over Allow entries, which can cause unintended effects due to group memberships.
Click Finish.
Important After you complete these steps, Microsoft Outlook Web Access (OWA) users may use the Find names feature to view users, including those who are not in the same organizational unit. To prevent users from viewing other users who are in different organizational units, follow the steps in the next procedure.
back to the top
Modify the msExchQueryBaseDN Attribute for Each User
To limit the scope of a directory service search with Outlook Web Access, set the msExchQueryBaseDN attribute on each user object. The value that is specified for the msExchQueryBaseDN attribute limits the searches and the ambiguous name resolution queries that a user can perform. Use the ADSI Edit snap-in to set the msExchQueryBaseDN attribute on a user object. To do this, follow these steps.Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
Log on to the domain controller as administrator.
Start the ADSI Edit. To do this, follow these steps:
Install Windows 2000 Support Tools. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
246926 Folder Listing of the Support Tools Included in Windows 2000
Register the Adsiedit.dll file by using Regsvr32. To do this, follow these steps:
Click Start, and then click Run.
In the Open box, type the following line, and then click OK:
regsvr32 "drive:\program files\support tools\adsiedit.dll"
Open Microsoft Management Console (MMC), and then add ADSI Edit.
In the root directory, right-click ADSI Edit, and then click Connect to.
In the Connection dialog box, click Domain NC in the Naming Context list, and then click OK.
Click a computer or a domain to log on to, and then click OK.
Alternatively, click OK to use the domain or server that you are logged on to.
Expand Domain NC, and then expand dc=domain,dc=com.
Locate and expand the appropriate organizational unit, right-click the user who you want to set viewing restrictions for, and then click Properties.
In the Select a property to view list, click msExchQueryBaseDN.
Copy the distinguished name of the organizational unit that the user belongs to, and then paste the distinguished name in the Edit Attribute box.
For example, you may paste the following: ou=customer1,dc=domain,dc=com
Click Set, and then click OK.
Note You can set the msExchQueryBaseDN attribute on a user object to restrict the visibility of directory entries that can be mailed that are returned by the ambiguous name resolution function and by the Global Address List find functions. You can set the value for the property either to the distinguished name of an object container (common name or organizational unit) or to an address list. In the first scenario, the distinguished name is used as the base distinguished name for Global Address List queries and for ambiguous name resolution queries. In the second scenario, the distinguished name must match one of the ShowInAddressBook values on a directory object for it to be returned by an ambiguous name resolution or by a Global Address List search.
back to the top
Additional query words: xadm gal ANR
Keywords: kbHOWTOmaster KB822940
Technology: kbExchangeSearch kbExchangeServ2003Ent kbExchangeServ2003Search kbExchangeServ2003St
Schau dir mal diesen Artikel an...
How to Manage Address Lists When You Host Virtual Organizations
PSS ID Number: 822940
Article Last Modified on 7/17/2003
The information in this article applies to:
Microsoft Exchange Server 2003 Standard Edition
Microsoft Exchange Server 2003 Enterprise Edition
IN THIS TASK
SUMMARY
How to Create Multiple Global Address Lists
How to Change Security on Global Address Lists
Change the Security on Each New Global Address List
Modify the msExchQueryBaseDN Attribute for Each User
SUMMARY
This step-by-step article describes how to create Global Address Lists and how to set security levels on the Global Address Lists so only specific groups can view them.
When you use Exchange 2003 in a hosting environment, you must create multiple Global Address Lists. The address lists typically have different user accounts listed in them based on the Lightweight Directory Access Protocol (LDAP) filter that you create. By default, all the users in the Exchange 2003 organization can view all the defined Global Address Lists. This may not be acceptable in some situations; for example, it would not be acceptable at a company that that serves as an e-mail host for other companies. However, you can restrict access to a particular set of users for specific address lists.
back to the top
How to Create Multiple Global Address Lists
Note In the following steps, the term "virtual organization" refers to a company that you create a Global Address List for.
In the procedure that describes how to create Global Address Lists, step 1 and step 2 must be performed by an administrator. To create Global Address Lists, follow these steps:
Log on as an administrator.
Create an organizational unit for each virtual organization, and then create a global security group in the same organizational unit.
Add all members of each virtual organization to the global group that you created for that virtual organization in step 2.
To change the security of the default Global Address List to help make it inaccessible to users, follow these steps:
Start Exchange System Manager.
Expand Recipients, and then expand All Global Address Lists.
Right-click Default Global Address List, and then click Properties.
Click the Security tab.
In the Name section, click the Authenticated Users group, click List Contents under the Permissions section, and then click to select the Deny check box.
In the Permissions section, make sure that the Allow check box for Read is not selected.
In the Name section, click the Everyone group, and then make sure that none of the Allow check boxes are selected under the Permissions section.
Click Apply.
When you receive the following message, click Yes, and then click OK:
Caution! Deny entries take priority over Allow entries, which can cause unintended effects due to group memberships.
Create a new Global Address List for each virtual organization, and then give each new Global Address List a filter that identifies the users who belong to that virtual organization. To do this, follow these steps:
Right-click All Global Address Lists, and then click New Global Address List.
Type a name for the new Global Address List, and then click Filter Rules.
Click the Advanced tab.
Create a filter criterion for group membership. To do this, follow these steps:
Click Field, click User, and then click Group Membership.
In the Condition box, click Is (exactly).
In the Value section, type the name of the group that you are creating the filter for in the Distinguished Name box, and then click Add.
Click Find Now.
Click OK, and then click Finish.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
321723 XADM: How to Create an Address List Based on Group Membership
Repeat steps A through E for each Global Address List that you create for a virtual organization.
back to the top
How to Change Security on Global Address Lists
Change the Security on Each New Global Address List
Follow these steps to permit members of the virtual organization to see members of that Global Address List and to prevent all other users from seeing those entries.
Note This procedure works for Post Office Protocol version 3 (POP3) and for Internet Message Access Protocol, version 4rev1 (IMAP4) clients only if you use organizational units (and not alternative criteria such as department or office location) to manage people.
In Exchange System Manager, right-click the new Global Address List, and then click Properties.
Click the Security tab.
Click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then copy the existing permissions when you are prompted to do so.
In the Name section, click the Authenticated Users group name, and then make sure that the Allow check box is not selected for either Read or List in the Permissions section.
Click Add, click the global group that corresponds to the appropriate virtual organization, and then add it to the list.
In the Permissions section, click to clear all permissions except Read, Execute, Read Permissions, List Content, Read Properties, and List Object; and then click OK.
When you receive the following message, click Yes, and then click OK. Caution! Deny entries take priority over Allow entries, which can cause unintended effects due to group memberships.
Click Finish.
Important After you complete these steps, Microsoft Outlook Web Access (OWA) users may use the Find names feature to view users, including those who are not in the same organizational unit. To prevent users from viewing other users who are in different organizational units, follow the steps in the next procedure.
back to the top
Modify the msExchQueryBaseDN Attribute for Each User
To limit the scope of a directory service search with Outlook Web Access, set the msExchQueryBaseDN attribute on each user object. The value that is specified for the msExchQueryBaseDN attribute limits the searches and the ambiguous name resolution queries that a user can perform. Use the ADSI Edit snap-in to set the msExchQueryBaseDN attribute on a user object. To do this, follow these steps.Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
Log on to the domain controller as administrator.
Start the ADSI Edit. To do this, follow these steps:
Install Windows 2000 Support Tools. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
246926 Folder Listing of the Support Tools Included in Windows 2000
Register the Adsiedit.dll file by using Regsvr32. To do this, follow these steps:
Click Start, and then click Run.
In the Open box, type the following line, and then click OK:
regsvr32 "drive:\program files\support tools\adsiedit.dll"
Open Microsoft Management Console (MMC), and then add ADSI Edit.
In the root directory, right-click ADSI Edit, and then click Connect to.
In the Connection dialog box, click Domain NC in the Naming Context list, and then click OK.
Click a computer or a domain to log on to, and then click OK.
Alternatively, click OK to use the domain or server that you are logged on to.
Expand Domain NC, and then expand dc=domain,dc=com.
Locate and expand the appropriate organizational unit, right-click the user who you want to set viewing restrictions for, and then click Properties.
In the Select a property to view list, click msExchQueryBaseDN.
Copy the distinguished name of the organizational unit that the user belongs to, and then paste the distinguished name in the Edit Attribute box.
For example, you may paste the following: ou=customer1,dc=domain,dc=com
Click Set, and then click OK.
Note You can set the msExchQueryBaseDN attribute on a user object to restrict the visibility of directory entries that can be mailed that are returned by the ambiguous name resolution function and by the Global Address List find functions. You can set the value for the property either to the distinguished name of an object container (common name or organizational unit) or to an address list. In the first scenario, the distinguished name is used as the base distinguished name for Global Address List queries and for ambiguous name resolution queries. In the second scenario, the distinguished name must match one of the ShowInAddressBook values on a directory object for it to be returned by an ambiguous name resolution or by a Global Address List search.
back to the top
Additional query words: xadm gal ANR
Keywords: kbHOWTOmaster KB822940
Technology: kbExchangeSearch kbExchangeServ2003Ent kbExchangeServ2003Search kbExchangeServ2003St