Outlook 20xx and GALs

[Jawloms]

Hi all,

We are currently migrating our users mailboxes from an Exchange server in the same domain as their user accounts to an exchange server in a domain we trust. All is working fine except the new exchange server (I say 'new', it's running 2003) has two GALs, one for the staff and one for the students. Randomly and frequently the staff are seeing only the student GAL. If we delete the %user%\AppData\Microsoft\Outlook folder and re-open Outlook they get the correct GAL, but a while later (minutes or days) they then have the student GAL again. It's not closing and opening Outlook which causes it as it happens when Outlook is left open too. We're running Outlook 2003, 2007, 2010 on Windows XP and Windows 7 and all have the problem.

Any thoughts please?

Stuart

[Domino]

Is one the default GAL? from memory, I think the suggested path is to set the default as denied for all, and then create two new ones with the user accounts asigned to the correct one....

[Jawloms]

There are only two under "All Global Address Lists" - "Staff" and "Students". Staff have Read over the "Staff" one and Deny over the Student one.

[Domino]

Okay, this is the method I used back in 2k3 - I can't help any more than that - I've not touched 2k3 in years

First you want to create a security group called Deny_Full_GAL. Add all users to it. Next add this group the Default Global Address List and deny all permisions for this group, you also need to remove authenticated users, everyone and anonymous users groups from the permissions list. This should prevent the users from seeing the Default GAL.

Next. Setup 2 security groups:

UserGroup1
UserGroup2

and 2 new GALs

GAL1
GAL2

Now add all the users you want to see GAL1 into UserGroup1 and add this group to the permission of GAL1 - remove all permissions then add back in 'allow' access for:

Read
Execute
List Contents
Read Properties
List Object
Open Address List

Also make sure you remove authenticated users, everyone and anonymous user groups from GAL1 security permissions.

Do the same for GAL2 but with UserGroup2. You should now have 2 GAL's which can only be seen by UserGroup1 and UserGroup2 respectively.

To add users to a GAL, you need to do an LDAP querey by selecting 'Modify' on the General tab of the GAL properties. You can then include all users of a specific group, UPN or whatever.

NB: You could also use the list object permission to prevent users seeing the Default GAL but this is a bit more involved and in my book the easier solution is creating the Deny_Full_GAL security group.