How to implement Exchange address book policies

Exchange address book policies have replaced clunky global address list segmentation. Discover where they make sense and how to implement them.

First introduced in Exchange 2010 Service Pack 2, address book policies are a useful feature that lets administrators

segment their global address list for users. Let's see where address book policies make sense and the steps necessary to effectively implement them.

Past versions of Exchange Server included a feature known as GAL segregation. GAL segregation is implemented by setting custom permissions against Active Directory and allows administrators to segment their global address list. Doing so gives different groups of users specified views of other users in the organization. Although well-documented, configuring GAL segregation was not an easy process.

Included in the Exchange 2010 SP2 release -- and in Exchange 2013 -- address book policies offer that same functionality, though things have been simplified.

Where to use address book policies

Address book policies (ABPs) are relatively easy to implement, but aren't appropriate for all organizations. Let's see where they make sense.

Figure 1: A company with multiple divisions is a terrific candidate for Exchange address book policies.

Companies with multiple divisions
If your organization has multiple divisions that operate independently, one division may have no reason to deal with another on a day-to-day basis. Having one massive global address list (GAL) only serves to confuse end users. Administrators in these companies should consider address book policies for each division, with the corporate group maintaining full visibility over the entire company (Figure 1)

Colleges, universities and school districts
While educational institutions often have tens of thousands of mailboxes, it's common that they have multiple sections that operate independently.

Each institution's approach will differ, but consider the following example. University students within each school of study can view a GAL with fellow students, professors and staff within their respective school. Similarly, staff can view a GAL with students, fellow professors and relevant staff within the administrative departments.

The administrative departments may only need to contact general staff and might have trouble identifying staff mixed in with students. It makes sense here to have a GAL that is only comprised of staff.

Figure 2: Address book policies make a lot of sense for educational institutions.

It's possible to set up a number of address book policies where no single user has a view of everyone, yet staff members are present within multiple GALs (Figure 2).

Multi-tenant environments
Address book policies also make a lot of sense for multi-tenant environments. This certainly isn't the focus of this tip, because there are many more considerations around hosted environments than simply GAL segregation, but it's worth mentioning.

Figure 3: Address book policies make sense for multi-tenant Exchange environments.

In a hosted configuration, an end user likely isn't aware that he is one of many sharing a common Exchange environment. Therefore, it's unlikely that the end user would be present within multiple GALs. The one ABP per company model is often used in these types of situations (Figure 3).

Defining your requirements

After determining why you want to use ABPs, you must define your requirements. Let's look at a company with multiple divisions as an example:

  • Contoso Holdings -- the parent group
  • Tailspin Toys -- a toy division within Contoso Holdings
  • Fabrikam Electronics -- a division within Contoso Holdings that distributes electronics

The company divisions will be split up so that:

  • The employees within Contoso Holdings (the parent company) see themselves, as well as all employees within the sub-divisions in a large GAL.
  • Employees of Tailspin Toys and Fabrikam Electronics only see colleagues within their respective divisions, with GALs defined for each.

Contoso Holdings and the two separate divisions are contained within their own organizational units within Active Directory. This makes it simple to find users within each respective division.

For each GAL, let's use Exchange's CustomAttribute1 to filter users and determine who should be listed in each GAL. We'll use CustomAttribute1 to store the division name, then create two address book policies for each division. This leaves the corporate Contoso users as they are, with visibility over the existing default global address policy.

Implementing Exchange address book policies

Now that we've defined our requirements, actually implementing ABPs becomes more straightforward. We must complete the following tasks:

  • Set the custom attribute on users within the Tailspin and Fabrikam divisions.
  • Create two new GALs for both divisions.
  • Create new address lists for both divisions.
  • Create new offline address books (OABs) for both divisions.
  • Create two new address book policies referencing the above GALs, address lists and OABs.
  • Assign the address book policies to users in each division.

The core of this process is accomplished via PowerShell, though we can view the results of our actions later in the Exchange Management Console (EMC).

First, let's set our CustomAttribute on Tailspin and Fabrikam users to give us the key attribute to filter on:

# Set CustomAttribute1 for TailSpin

Get-Mailbox -OrganizationalUnit | Set-Mailbox -CustomAttribute1 TailSpin

Get-MailUser -OrganizationalUnit | Set-MailUser -CustomAttribute1 TailSpin

Get-DistributionGroup -OrganizationalUnit | Set-DistributionGroup -CustomAttribute1 TailSpin

# Set CustomAttribute1 for Fabrikam
Get-Mailbox -OrganizationalUnit | Set-Mailbox -CustomAttribute1 Fabrikam

Get-MailUser -OrganizationalUnit | Set-MailUser -CustomAttribute1 Fabrikam

Get-DistributionGroup -OrganizationalUnit | Set-DistributionGroup -CustomAttribute1 Fabrikam

Next, let's create the new GALs for each division, referencing the CustomAttribute and its value:

New-GlobalAddressList "TailSpin Global Address List" -RecipientFilter {(CustomAttribute1 -eq "TailSpin")} | Update-GlobalAddressList

New-GlobalAddressList "Fabrikam Global Address List" -RecipientFilter {(CustomAttribute1 -eq "Fabrikam")} | Update-GlobalAddressList

Next, we must create the base address lists. These are the standard "Folders" within the GAL that end users use to view lists of mailboxes, distribution groups, contacts and room mailboxes:

# Create TailSpin Address Lists

New-AddressList "TailSpin Users" -RecipientFilter {((CustomAttribute1 -eq "TailSpin") -and (RecipientType -eq 'UserMailbox'))} | Update-AddressList

New-AddressList "TailSpin Groups" -RecipientFilter {((CustomAttribute1 -eq "TailSpin") -and (RecipientType -eq 'MailUniversalDistributionGroup' -or RecipientType -eq 'MailUniversalSecurityGroup' -or RecipientType -eq 'MailNonUniversalGroup' -or RecipientType -eq 'DynamicDistributionGroup'))} | Update-AddressList

New-AddressList "TailSpin Contacts" -RecipientFilter {((CustomAttribute1 -eq "TailSpin") -and (RecipientType -eq 'MailContact'))} | Update-AddressList

New-AddressList "TailSpin Rooms" -RecipientFilter {((CustomAttribute1 -eq "TailSpin") -and (Alias -ne $null) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox')))} | Update-AddressList

# Create Fabrikam Address Lists

New-AddressList "Fabrikam Users" -RecipientFilter {((CustomAttribute1 -eq "Fabrikam") -and (RecipientType -eq 'UserMailbox'))} | Update-AddressList

New-AddressList "Fabrikam Groups" -RecipientFilter {((CustomAttribute1 -eq "Fabrikam") -and (RecipientType -eq 'MailUniversalDistributionGroup' -or RecipientType -eq 'MailUniversalSecurityGroup' -or RecipientType -eq 'MailNonUniversalGroup' -or RecipientType -eq 'DynamicDistributionGroup'))} | Update-AddressList

New-AddressList "Fabrikam Contacts" -RecipientFilter {((CustomAttribute1 -eq "Fabrikam") -and (RecipientType -eq 'MailContact'))} | Update-AddressList

New-AddressList "Fabrikam Rooms" -RecipientFilter {((CustomAttribute1 -eq "Fabrikam") -and (Alias -ne $null) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox')))} | Update-AddressList

We must now round up the components of the new GALs and create two new OABs:

New-OfflineAddressBook "TailSpin Offline Address Book" -AddressLists "TailSpin Global Address List"

New-OfflineAddressBook "Fabrikam Offline Address Book" -AddressLists "Fabrikam Global Address List"

Now that we have our GALs, address lists and OABs, we can create two new address book policies:

New-AddressBookPolicy -Name "TailSpin Address Book Policy" -AddressLists (Get-AddressList TailSpin*) -OfflineAddressBook "TailSpin Offline Address Book" -GlobalAddressList "\TailSpin Global Address List"  -RoomList "\TailSpin Rooms"

New-AddressBookPolicy -Name "Fabrikam Address Book Policy" -AddressLists (Get-AddressList Fabrikam*) -OfflineAddressBook "Fabrikam Offline Address Book" -GlobalAddressList "\Fabrikam Global Address List"  -RoomList "\Fabrikam Rooms"

Figure 4: The newly created address book policies now display within the EMC.

The complete and working address book policies are now ready. They are displayed in the EMC, along with everything else we've created (Figure 4).

Although we -- the admins -- can see the policies, end users can't. In other words, even though users are listed on the GAL that's contained within an ABP, it doesn't mean it's the one they see. To enable users to see the correct GAL, as well as its respective components, we must assign each user to the correct ABP.

To do so, use the CustomAttribute filter we used earlier to search for mailboxes using the Get-Mailbox cmdlet and pipe the results to the Set-Mailbox cmdlet. Doing so assigns the ABP:

Get-Mailbox -Filter {(CustomAttribute1 -eq "TailSpin")} | Set-Mailbox -AddressBookPolicy "TailSpin Address Book Policy"

Get-Mailbox -Filter {(CustomAttribute1 -eq "Fabrikam")} | Set-Mailbox -AddressBookPolicy "Fabrikam Address Book Policy"

Figure 5: Assign an Exchange address book policy to a mailbox.

You don't necessarily need to accomplish this task using the Exchange Management Shell (EMS), though it's certainly easier for multiple users. You can also use the EMC and assign an address book policy when editing an individual mailbox (Figure 5).

Figure 6: A screenshot of a user's new GAL.

We have now successfully implemented address book policies. When a user views their GAL, he will only see the view of the organization based on his division (Figure 6).

The final aspect to understand is what to do with new users. After creating a new user and mailbox within a division, you must accomplish two additional tasks:

  • Assign the address book policy to the new user.
  • Add the correct division name to CustomAttribute1 on the new user.

Because we previously used CustomAttribute1 -- a property that's viewable and easy to edit via the EMC -- the two tasks are easily accomplished there after creating the mailbox.

That said, you can also accomplish the task using the EMS:

New-Mailbox "Sales" -OrganizationalUnit -UserPrincipalName -AddressBookPolicy "TailSpin Address Book Policy" -Shared | Set-MailBox -CustomAttribute1 "TailSpin"

Final thoughts

Address book policies might initially sound daunting, but as you can see, armed with the right steps they're actually quite easy to configure. Use the techniques described in this tip and you'll find that implementing and managing address book policies within your Exchange organization is something that is both easy to achieve and requires minimal future management.

About the author:
Steve Goodman is an Exchange MVP, and works as a technical architect for one of the UK's leading Microsoft Gold partners, Phoenix IT Group. Goodman has worked in the IT industry for 14 years and has worked extensively with Microsoft Exchange since version 5.5.

This was first published in March 2013

Dig deeper on Microsoft Exchange Server Mailbox Management



Enjoy the benefits of Pro+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: