How to break the OAB download process for certain users

I got a weird request today and I thought I would be interesting post. In some organizations you might have a group of users that you do not want to download the OAB for security reason. There are a few ways to do this and if not done correctly can break it for everybody.

  1. The first method is to create a separate address list with a filter, a new OAB and changing attributes to point to the new OAB. This is pretty involved and I really don't fancy people playing with any permissions as this leads to bigger problems.
  2. Move all of the users to a new mailbox store and remove the OAB associated with that mailbox store. This does not require changing permissions which is good because check names won't be broken for new profile creates, etc. This will remove the EntryID that is populated within the following MAPI Property Tag (PR_ADDRBOOK_FOR_LOCAL_SITE_ENTRYID). Now when the Outlook client logs in they will be given an EntryID that does not correspond to an existing Root OAB folder and the client will fail the download with the following error:
  3. You can populate the msExchUseOAB attribute on the active directory user object with the DN of an address list that does not exist. This works the same as number 2.

12:45:53 Synchronizing Mailbox <dgoldman>
12:45:53 Done
12:45:54 Microsoft Exchange offline address book
12:45:54 0x8004010f

Dave