Restrict or filter GAL access for OWA users using MSExchQueryBaseDN in Exchange 2007

When hosting Exchange 2007 mailboxes for use purely with Outlook Web Access (OWA) you may wish to limit access to the Global Address List (GAL), so that logged in users can only see a subset of the contacts in the GAL. This would be particularly relevant in hosting environments where mailboxes may be hosted for multiple companies in the same active directory, and you might want users to only see contact information from users for their company, rather than all companies.

A while ago we had a situation where this was a requirement. In our case there were several groups of users who would only be accessing email through OWA, and only needed contact information for a subset of staff. We were able to use custom address lists and the MSExchQueryBaseDN user attribute to solve this problem.

If you run adsiedit.msc and look at the properties of a user object you can scroll down the list of attributes to find MSExchQueryBaseDN.

The MSExchQueryBaseDn attribute in adsiedit

In order to limit which contacts a particular user or group of users can access, firstly you need to set up a new Address List either using the Exchange Management Console, or Exchange Management Shell. The address list should contain the contacts that you want the user or group of users to be able to view. Please note that you could point the MSExchQueryBaseDN attribute to an Organizational Unit, so it would filter contact information for just the users in that OU, but if you need the flexibilty to include contact information for users from various OUs in active directory, it may be easier to use a custom address list.

Once this is done you need to set the MSExchQueryBaseDN attribute of each of the users who you want to restrict to the distinguished name of the address list you created.


CN=YOUR_RESTRICTED_ADDRESS_LIST,CN=All Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=YOUR_DOMAIN,DC=local

Where YOUR_RESTRICTED_ADDRESS_LIST is the name of your address list and YOUR_DOMAIN is the name of your domain.

Obviously it would be too time consuming to set this attribute manually for hundreds of users so you could either use ADModify if you want to use a GUI:

Set MSExchQueryBaseDN using ADModify.Net

To reset to the default value using ADModify.Net use a value of ‘null’.

You could also use  to achieve this in Powershell if you would prefer to use the command line. Further details can be found here.

Please note: Using this attribute in Exchange 2010 SP1 may result in undesirable consequences. It has been reported that if this attribute is used you may find that users with the attribute set cannot view the contents of their address list, particularly in Outlook.

‘Run Cleanup Agent’ replacement in Exchange 2007

To view disconnected mailboxes immediately after deletion in Exchange 2003, you used to have to run the cleanup agent by right clicking on the mailbox folder in Exchange System Manager for the relevant server, and choose ‘Run Cleanup Agent’.

This changed in Exchange 2007, and instead you need to run the Clean-MailboxDatabase management shell command instead. To do this, on the server that contained the deleted mailboxes simply run the following command, where “Your_Mailbox_Database_Name” is the name of the relevant mailbox database:

Clean-MailboxDatabase “Your_Mailbox_Database_Name”

Renewing an SSL certificate on Exchange 2007

The other day i noticed event 64 with a source of CertificateServicesClient-Autoenrollment, in the event log on one of our Exchange 2007 Client Access servers. I was aware that the SSL certificate on this server was due for renewal in the near future, but this was a timely reminder:

Event ID 64 Source CertificateServicesClient-AutoEnrollment

In order to double check which certificate was expiring on this CAS server, I ran the following command in the Exchange Management Shell:

Get-ExchangeCertificate | FL

This lists all the certificates that Exchange is using along with all the details of each certificate, including the thumbprint. You can compare the thumbprint on the event log message, to those in the list from the above command, to see which certificate the message is referring to.

Next you should create a new certificate signing request (CSR) by issuing the following command in the Exchange Management Shell:

New-ExchangeCertificate -GenerateRequest -Path c:\CERT_REQUEST.CSR -KeySize 2048 -SubjectName “c=GB, s=YOUR_COUNTY_OR_STATE, l=YOUR_CITY, o=YOUR_ORGANISATION_NAME, ou=YOUR_DEPARTMENT, cn=YOUR_SERVER_FQDN” -DomainName autodiscover.YOUR_DOMAIN_NAME, YOUR_SERVER_LOCAL_DOMAIN_NAME, YOUR_SERVER_NETBIOS_NAME -PrivateKeyExportable $True

In the example above the capitalised parameters can be described as follows:

CERT_REQUEST.CSR – The name of the file that the certificate request will be exported to, in this case to the root of the c:\ drive

YOUR_COUNTY_OR_STATE – The name of the county or state for the certificate

YOUR_CITY – The name city for the certificate

YOUR_ORGANISATION_NAME – The name of your Company

YOUR_DEPARTMENT – The name of your department

YOUR_SERVER_FQDN – The fully qualified domain name (i.e. the public name of your server, that is registered with your external DNS provider)

autodiscover.YOUR_DOMAIN_NAME – The subject alternative name for autodiscover where the YOUR_DOMAIN_NAME part is your external domain name

YOUR_SERVER_LOCAL_DOMAIN_NAME – The internal fully qualified domain name of your server, if it is different to the external fully qualified domain name

YOUR_SERVER_NETBIOS_NAME – The NETBIOS name of your server

For example:

New-ExchangeCertificate -GenerateRequest -Path c:\certrequest.csr -KeySize 2048 -SubjectName “c=GB, s=Hampshire, l=Southampton, o=Oasysadmin Ltd, ou=IT Support,” -DomainName, mail.oasysadminltd.local, mail -PrivateKeyExportable $True

Another easy way to generate the New-ExchangeCertificate command for the certificate request is to use a free tool such as Digicert’s Exchange 2007 CSR Tool. Just fill in the fields and click generate, and then copy and paste the generated command into the Exchange Management Shell, and press enter to generate the CSR.

Once you have created your certificate signing request, you will need to open it in Notepad, and copy and paste the contents into the certificate renewal web page of your 3rd party SSL provider (e.g. Thawte, Verisign, Godaddy, Digicert to name just a few). This process cannot really be covered here, as it is different for all SSL certificate providers. When the certificate request has been processed and validated by your 3rd party SSL provider, they should provide you with a .cer or .crt certificate file which can be imported and enabled on your Exchange server.

Copy the .cer or .crt file issued by our SSL provider to a location on the Exchange server. In this example we have copied the the .cer file to the root of the C:\ drive on the Exchange server, where NEW_CERT is the name of the file.

Import-ExchangeCertificate -Path c:\NEW_CERT.cer

Once the new certificate is imported, it needs to be enabled for specific Exchange services such as IIS, POP, IMAP and SMTP. To do this you will need the thumbprint of the new certificate, which you can get by issuing the following command again:

Get-ExchangeCertificate | FL

Once you have the thumbprint you can type in the following command to enable the certificate, where YOUR_THUMBPRINT is the thumbprint of your new certificate:

Enable-ExchangeCertificate -thumbprint YOUR_THUMBPRINT -services IIS,SMTP,POP,IMAP

Note that the above command enables this certificate for IIS, SMTP, POP and IMAP. You can enable the certificate for specific services only e.g. just IIS if you want.

You can verifiy that the new certificate is installed OK by connecting to the FQDN of your Exchange server in your preferred browser, and viewing the properties of the installed certificate.

For completeness once you have verified that the new certificate is functioning properly you can remove the old certificate by typing the following command in the Exchange Management Shell, where OLD_THUMBPRINT is the thumbprint of the old obsolete SSL certificate which you have now replaced:

Remove-ExchangeCertificate -thumbprint OLD_THUMBPRINT