Loading...
 

OWA




Limiting the OWA Address Book scope

Setting the value of the msExchQueryBasedDN attribute on a user object to the DN of an OU or other object in Active Directory will allow you to limit the scope of the OWA address book to only the contents of that DN. This can be useful for organizations that have multiple exchange address books or where you would like to limit the scope of users that can be seen in those address books. I found that OWA does not necessarily display all of your exchange address books in order, so the default address book that is used by your users may not be the correct address book. As stated above, you can set this value to an OU to limit scope, or you can set the value to the DN of the actual address book that you want your users to see.

The DN of a specific address book would look something like this:
CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container, \
CN=My Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com


Unfortunately Microsoft didn't give you an easy way to set this value globally, so you have to touch each mail enabled user in AD. We have a maintenance script that runs daily to set this value (among other things that can't be set globally). Here is a sample of the powershell code, just basic LDAP. This searches all of AD, but you could limit your "SearchRoot" variable if you only wanted to search a subset of AD. Lines are wrapped for readability.
$dsearcher = New-Object System.DirectoryServices.DirectorySearcher
$dsearcher.SearchRoot = "LDAP://somedomaincontroller.mydomain.com/DC=mydomain,DC=com"
$dsearcher.SearchScope = "Subtree"
$dsearcher.Filter = "(&(objectCategory=User)(MailNickname=*)(HomeMDB=*)(!(msExchQueryBaseDN=CN=Default Global Address List, \
CN=All Global Address Lists,CN=Address Lists Container,CN=My Organization,CN=Microsoft \
Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com)))"
$dsearcher.PropertiesToLoad.Add("Name")
$dsearcher.PropertiesToLoad.Add("SamAccountName")
$dsearcher.PropertiesToLoad.Add("msExchQueryBaseDN")
$users = $dsearcher.FindAll()

# Loop through each user and set the msExchQueryBaseDN attribute
foreach ($user in $users){
	$dname = $user.Properties.Item("Name")
	$uname = $user.Properties.Item("SamAccountName")
	debug "Setting msExchQueryBaseDN for $dname - $uname"
	$dentry = New-Object System.DirectoryServices.DirectoryEntry \
                 ("LDAP://somedomaincontroller.mydomain.com/DC=mydomain,DC=com")
	$dentry = $user.GetDirectoryEntry()
	$dentry.PSBase.InvokeSet("msExchQueryBaseDN", "CN=Default Global Address List, \
           CN=All Global Address Lists,CN=Address Lists Container,CN=My Organization,CN=Microsoft \
           Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com")
	$dentry.PSBase.CommitChanges()
	$dentry.PSBase.RefreshCache()
 	if ($dentry.msExchQueryBaseDN.Contains("CN=Default Global Address List,CN=All Global Address Lists, \
           CN=Address Lists Container,CN=My Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration, \
           DC=mydomain,DC=com") -eq $false){
 		debug "Set msExchQueryBaseDN for $dname - $uname failed!"
 	}
 	else{
 		debug "msExchQueryBaseDN for $dname - $uname is now set to CN=Default Global Address List, \
                  CN=All Global Address Lists,CN=Address Lists Container,CN=My Organization,CN=Microsoft \
                  Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com"
 	}
}

Show php error messages