Michael Bell's latest article in the Learning Exchange Server 2000 in 15 Minutes a Week series takes a look at viewing address lists created in Exchange 2000 and how to restrict address list views so that only specific users are be able to access them.
by Michael Bell
Aright, now that the summer is over, I guess that it is time to get back to work
and start writing articles again on a somewhat regular basis. The topic for this particular article is going to be address list
views and is in part inspired by a question posted by one of our newsgroup readers. The reader was looking for a way to create a new address list but set it up so that only specific users would be able to access it. Well, that is exactly what we are going to do here today, so let's go ahead and jump right into it!
Our first screen shot is taken from within Outlook, showing the different address lists that are
configured and accessible by our clients. What I am going to do is a two step process. First, I will go ahead and create a new address
list and show how that is done. We will then verify that the address list is visible and accessible to the Outlook users by logging in and trying to access some information from within the address list. Then, I will go ahead and hide that address list from
view so that only specific users with the appropriate permissions will have the ability to connect
to or even see the particular address list in question. Sound fun? Well let's give it a whirl then!
The first thing I want to point out is the default address lists that are visible from within Outlook 2000. As you can see from Figure 1, there is nothing out of the ordinary here, although I do already have one custom address list that I created called Demo (OK, so there is one thing out of the ordinary!)
Now the first thing that I do is go to the machine that is running the ESM, open up Recipients and select All Address Lists. This should display the different address lists that have been created or are created by default upon installation of Exchange 2000. You can see the list in Figure 2.
The next thing I need to do is create a new address list. For the sake of this
example I am going to call it Confidential. That tells us that I might not want everyone to see this list and
therefore will make more sense later on when I actually decide to hide it. I will right-click on All Address Lists, Select New, and Address List, and create an Address list called Confidential. Figure 3 shows how I went about creating the new address list.
And Figure 4 shows the final step.
Voila! One address list in less than the time that you can get to the post office to buy some three cent stamps!! I would like to point out,
however, that at this point I have not actually configured the membership of this address
list, so that is the next step.
This is a case where address lists in Exchange 2000 have a definite leg up on
their predecessor. Because Exchange 2000 Address lists are nothing more than LDAP Filters, the membership is built dynamically when you create the address list. As I suggested earlier, we haven't really completed this address list
yet, so let's go ahead and do that. The next step is to define the LDAP Filter that sets the membership for this Confidential Address list.
The first thing to do in creating a LDAP Filter is to open up the Properties of the newly created Confidential Address
List, as seen in Figure 5.
As you can see from looking at this page, I have no LDAP Filter defined, so this Address list really wouldn't do anything for me at this point. I actually have to define who or what I am looking
for along with any other criteria that I would like to specify. That is one nice thing about LDAP. It is extremely
customizable so that you can create Address lists that will show just about any view of your Exchange organization that you could desire!
Next, we need to actually define the Filter, so we click on Modify. We will be greeted with the screen that you see in Figure 6.
There are literally thousands of different search criteria that we could specify for our users, but for this
example we are going to create a custom search. In order to do that, select the Advanced Tab, and you should see something similar to Figure 7.
In this case, I have already filled in the properties that I want to use for my Address list. I only want the address list to display users who have a their City attribute set to Tampa. If you want to see what the actual LDAP Filter looks like, take a look at Figure 8.
Probably not something that you want to be writing from scratch every day, but keep in mind that with Exchange 2000, you do have the ability to actually write your own LDAP Filters should you need to do so. In my
case I always try to keep things simple, so I was able to meet my needs by simply using the Advanced Features capability. Now if you look at the bottom right hand side of the graphic from Figure 8, you will notice a Preview button. By clicking on
that I will request that Exchange actually run the Filter against all the objects in my Exchange Organization, and return only objects that meet the specified criteria. Again, if you refer back to the Filter in Figure 8, you will notice that among other
things, I am only looking for user objects. So I should only see user objects returned in my Address List; Figure 9 verifies this for me.
Now the last thing to verify is that the clients can see our address list as well. What I need to do is log on to Outlook and select the Address book icon. If I have done everything correctly, when I drop down the Address lists, I should see a Confidential Address List, and there should be two members listed. Take a look at Figure 10. Let's see how I did...
Looks like we have a winner here. The Address list is accessible from the Outlook client and only the two specified users are showing up. Now keep in mind that the contents of the address book can easily change. All I would have to do is go in to the properties of one of my user objects and change their city attribute to Tampa. Once I did that and the RUS (Recipient Update Service) had run again, I should see the updated contents in my address book. Keep in mind that this process could take a few minutes, depending on the Design of your Exchange 2000 organization, and your underlying network.
Also, don't forget that the filter only looks for particular types of objects; in this case, user objects. So if I were to update the City attribute of a Contact in my Exchange 2000 organization, they still wouldn't show up in the Address list.
Now that we have that out of the way, let's take a look at setting up Address lists that are restricted to only certain users and groups. This is
nice especially if you are hosting multiple organizations on a single Exchange
Server and you want to preserve the privacy of each company. Keep in mind that there could be many other reasons for doing this as well. I just wanted to give out one example scenario, but you can substitute your own as we go. The first thing that I am going to point out is that I am certain that there are other ways to accomplish our goal other than what I am about to show you. That is fine. I am simply showing you the way that I do it.
We could accomplish our goal by simply denying the Open Address List permission. But there is a problem with that. The problem is that although the users can't view the contents of the Address List, they can still view the Address List itself. I want to hide the entire thing so that they won't see the Address list or the contents.
So back to ESM we go. What we are going to do is create an empty Address List that acts as a container for the address lists that we would like to hide. We will then remove or deny the list contents permission to specific groups or users in order to determine who will or will not be able to see a particular address list.
Now in our case, you will have to think back quite a while ago to an article I wrote where I talked about granting different administrative groups rights throughout your Exchange Organization. If you will remember, we had both a BostonEXAdmin group and a TampaEXAdmin group. Using these two groups, I am going to allow the members of the
TampaEXAdmin group the ability to access the address book while denying the
BostonEXAdmin group from even being able to see the Confidential Address Book.
What I have done is gone into the ESM and created a blank Address List called
HiddenContainer, as you can see in Figure 11.
Now, what I need to do next is to drag the Confidential Address List so that it becomes a child object of the HiddenContainer Address List, as wee see in Figure 12.
Now I go into the properties of the HiddenContainer Address List, and I am going to specifically deny the BostonEXAdmins group the List Content Permission!
Now that I have accomplished that, the last step is to actually log on as different users from the different groups to verify that I have accomplished my goal of restricting access to the contents of a specific Address List. I first log on as a user from the TampaEXAdmins Group, and when I open up Outlook and select to see the available address lists, this is what I see:
Now, I log on as a member of the BostonEXAdmins group, and you should notice the difference in their view;
As you can see, they can see the actual HiddenContainer Address List but not the Confidential Address List that it contains. And as they don't have list contents permission, they can't see the membership of the Confidential Address list either.
Hopefully this helps to clarify the question of how to hide an Address List from your users.
I hope that you have found this information useful. I also want to apologize for my long
delay in getting out a new article. I would love to say that I am going to get back to writing an article every other week, but I don't want to commit to anything just yet. But be on the lookout for another Exchange 2000 article in the not too distant future!!
Thanks for your support, and until next time, cya!