In many organisations there at requirements to segment the Exchange Global Address list, but even with permissions – all users are visible within the OWA GAL. To identity and manage specific search scopes within OWA, ILM can assist. The solution is made up of two components, ILM’s ability to generate DN (distinguished name) values and place them within objects as well as exchange’s ability to limit the search base for a user’s object.
Refer to http://support.microsoft.com/kb/817218 for more information regarding the msExchQueryBaseDN attribute that can restrict the search base for a users address book.
In order to restrict a user’s search base:
Create a new address book that contains the records a user is suppose to see. This could be an empty address book (no records should be seen) or use ILM to populate the AD with great info to base the address book definition on .
Include the msExchQueryBaseDN attribute within the AD management agent.
Use ADSIEdit.msc to retrieve the DN for the newly created Address Book. (e.g “CN=No Addresses Available,CN=All Address Lists,CN=Address Lists Container,CN=Exchange,CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=company,DC=com”)
Now create an advanced attribute flow rule from the MV object to the CS object you wish to limit the scope of. Since the msExchQueryBaseDN is a reference attribute it is important to create a DN to the correct addressBook object in the configuration partition in Active Directory. To do this simply add the following line of code within the attribute flow rule:
Dim mAgent As ConnectedMA
mAgent = mventry.ConnectedMA(“Active Directory”)
csentry(“msExchQueryBaseDN”).value = mAgent.createDN(“CN=No Addresses Available, _
CN=All Address Lists, CN=Address Lists Container, _
CN=Exchange,CN=Microsoft Exchange, CN=Services, _