Exchange Mailboxes

[paullong]

We're having some difficulty with kids emailing their whole year group or even worse the whole email community. We use MS Outlook 2003 at school and Web Outlook from home. It's when they're in school that the problem occurs because if they click on "To..." then they get to see ALL users. We've managed to hide the shared contacts/groups that we've set up in Active Directory by changing the security permissions on the shared groups to be invisible to students - this just leaves various gaps when they click on to.. However, they can still see about 900 users (Y9-13 + staff) and some are in the habit of clicking the first, holding down shift, clicking the last and sending. Obviously we have an AUP and ban their access to email when they do this, but we need to stop it from happening in the first place. We've tried setting the default number of recipients to 5 (for example) as a global setting, but this of course restricts it for staff too (unless we change each one individually). We've also tried hiding the global addressbook but this prevents anyone from logging on :-(

Does anyone have any solutions or any software that deals with bulk changes to mailboxes or puts different types of users into different groups and manages them according to the group they are in? Exchange is very very un-friendly when it comes to linking in with AD and applying settings to groups of people.

btw - one solution we are putting in to place in order to solve the fact that users can't see their own contacts when clicking on To... is to implement roaming profiles for staff - shock horror! Has anyone got any positive experiences of using RPs with exchange / Outlook and any advice?

Thanks, Paul

[ChrisH]

What version of Exchange are you running?

[paullong]

2003 on a 2K3 server.

[Ric_]

You can prevent them viewing the address book and limit the number of ricipients (something you should do anyway as best practice).

This can be done using policies that apply to your organisation and on a per user level (so you can exclude yourself ). This works in Exchange 2K and 2003.

PM me during the week and I will have a look exactly where the setting is.

[paullong]

Thanks Ric. We've looked at this option already and the global setting is in delivery options. Unfortunately though it would involve making the global setting, and then over-riding it for every member of staff which would be a lot of work. And we would need to remember to put the override in each time we create a new member of staff too. Someone else has suggested via email that we upgrade to the Enterprise version of Exchange - do you or anyone else have experience of whether this is any better?

Cheers, Paul

[Ric_]

I use the Enterprise version but there isn't a significant difference WRT this problem. There is a difference between 2000 and 2003.

If you deny access to the address book, the kids won't be able to send to everyone unless they know everyone's addresses (unlikely).

You can also do a bulk select and change on the users IIRC.

[sahmeepee]

The user property that lets you restrict the max. number of recipients is a bit buried (User properties>exchange general>delivery options), so it's not one of the ones you can apply when you select a big clump of users and bring up their Properties. Possibly it's scriptable with ADSI or something - I'm not too hot in that area. Of course troublemakers can have their limit manually set to 1 permanently without too much hassle.

There is an organisation-wide setting, inside "global settings>message delivery>defaults" in System Manager, but you'll it'll apply to all users that you don't opt-out with the above setting as you've found already

[paullong]

That's exactly how we see it at the moment !

[john]

We just make all the kids use OWA rather than Outlook, and of coure then the addressbook is searchable only rather than a huge list. Works for us, and as we all have roaming profiles, our PAB's are part of that as well so are accessible via the OWA

[indiegirl]

Sorry to drag up an old thread - but paullong (if you are still reading) - did you manage to sort this? We are coming up against this problem and need to be able to restrict access to our Global Address book just for the students only.

I have - by practice - limited each student to a max of 5 recipients, but is there an option to hide / deny access to the global address list??

Never used exchange so probably well off but is this of any use?

Using Permissions to Limit Access to Address Lists
All users can access all address lists by default. However, if you want to deny users access to particular address lists, for example, if you want to use department-specific address lists that are only available to members of those departments, configure permissions on individual address lists:
1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. Expand the Recipients object, and then double-click All Address Lists.
3. Right-click the address list for which you want to set permissions, and then click Properties.
4. Click the Security tab, and then click to clear the Allow inheritable permissions from parent to propagate to this object check box.

NOTE: Address list permissions are inherited by default.
5. Click Copy to copy the current permissions from the parent object.

Do not click Remove. If you do so, system permissions may be affected.
6. To grant a recipient access to the address list, click Add, click either a recipient or group in the Select Users, Computers or Groups list, and then click to select the Allow check box next to Read permissions.
7. To deny a recipient access to the address list, click a recipient in the Select Users, Computers or Groups list, and then click to clear the Allow check box next to Read permissions.
8. Click OK.
NOTE: Always exercise caution when you use the explicit Deny permissions, particularly with groups. Deny permissions override Allow permissions, which can cause unexpected issues when you view the Address Book.

[Alex]

not tried, but cant you just used message restrictions on the group itself - within AD users and computers?

[john]

I still stand by my method, Outlook Web Access Campus wide, with Outlook by request, basically on teachers machines only and in offices.

[indiegirl]

I agree with the OWA only approach. However, due to DNS issues and the c*ckups made by the NM, OWA won't work internally (yet does externally). I haven't had the time to investigate/fix this, and at the moment, I'm not inclined either ;-)

I have denied access to our 'students' group within Exchange System Manager to the global address list, and also the 'all users' address list as suggested by Sysman above, and allowed access for staff. However, this doesn't appear to work - I've just logged in as a student, and they can still see the global address list. As far as I was aware, deny permissions should take precedence over allow... so I'm a bit puzzled as to why they're still allowed access to that list.