Restrict searches in Exchange 5.5
If you have multiple companies or departments hosted within the same Exchange Server organization and want to prevent each one from seeing the other's mailboxes or address lists, you can do this in Exchange 5.5 through a technique called Container Level Search Control. This requires you to edit how the users are listed in User Manager for Domains.
- Open the Exchange Administrator. In the properties of the Directory Service Site Configuration object, set up an anonymous account -- basically, any Windows user account, preferably with user-level permissions to prevent problems.
- Open the User Manager for Domains. Create a Global Group for each department or division in your organization that you want to segregate and add the respective Windows user accounts to each group. You'll need to add a consistent identifier for the group in either the Company or Department field of the account's Properties (it's up to you). If you are setting up the server for the first time, you may want to do this offline in another application, such as a database, then produce a file that can be bulk-imported.
If you want to nest one group inside another, or if you are running Exchange Server on a member server instead of a domain controller, use local rather than global groups to perform the segregation.
- In Exchange Administrator, click on File / New / Other / Address Book View,
- which will let you set up an Address Book View to organize the names. In the General tab, enter the Display and Directory names (both of which can be arbitrary). In the Group By tab, select the attribute by which you wish to group the accounts listed in the Group Items By field. You can use either Company or Department, depending on which one you're using as your segregator.
- Once the Address Book View is created, it appears as a tree diagram in Exchange Administrator. Expand the tree and get the Permissions tab for each group (created with the Group Items By selection in the above step), and add the appropriate global user group to the accounts listed, using a role of Search.
- In Exchange Administrator, click Tools / Options, then look in the Permissions tab. The options "Show Permissions Page for all objects" and "Display Rights for Roles on Permission page" should both be enabled. If they aren't, check them off and hit OK.
- Make sure the Administrator account (or at least one other admin-level account) has the Permissions Admin role on the Organization object in Exchange Administrator. Once you've confirmed this, go to the Properties of the Organization object and add the Search right to the Exchange Service account.
- Test the results by logging into an Exchange Server mailbox, opening the Address Book and choosing Show Names from the Global Address List. You should only see the names in the list associated with the organization that account is in. If the account is inheriting permissions from some object that gives it the right to see the complete address list, then this method of restricting searches won't work.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.
This was first published in February 2002