How to prepare your organization for Exchange 2007 Address List Segregation or revert from Address List Segregation back to Exchange

  • Article

Before you can start to follow the Exchange 2007 Address List Segregation white paper (https://technet.microsoft.com/en-us/exchange/bb936719.aspx) or revert from Address List Segregation you must prepare your organization. Here is a small check list of things that need to be looked at before you start:

1. Have you followed any other KB articles or white papers to set up self hosting?

If the answer is yes to this you will need to undo everything you did so you can put your Exchange organization back to a normal state. If you do not do this and you try to follow the Exchange 2007 Address List Segregation white paper you will find that you will have mixed results and this will most likely result in a support call.

2. Have you changed any of the default permissions on the address list or global address lists?

If the answer is yes you will also need to revert these back to the installation defaults and there is no way around it.

The way you can go about doing this is to use a tool called DSACLS. Dsacls.exe tool (Dsacls.exe) can be used to manage access control lists (ACLs) for directory services in Microsoft Windows Server 2003 and Microsoft Windows 2000 Server.

Dsacls.exe is included with the Windows Support Tools. To install the Support Tools, run Setup.exe from the Support\Tools folder on the Windows Server 2003 or Windows 2000 Server CD-ROM.

Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services.

WARNING: Changing the permissions from the default installed settings can cause your Exchange Organization to become un-useable.

If you have broken permissions or have added a Deny and you can no longer see an object you will need grant your admin account rights using DSACLS.

Example: DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com" /N /G domain\administrator:RPĀ 

By using the /N switch you are replacing the current access on the object instead of editing it.
By using the /G switch you are granting specified group (or user) specified permissions.

From here you will be able to view this object in ADSIEdit with your administrator account. This will allow you to check inheritance back and or add any other groups. It is recommended that you run the following to replace all of the permissions from the schema setting the object back to the default settings:

DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com" /S /N

This will need to be done for the following containers in order to reset the permissions:

  • CN=CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com
  • CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com
  • CN=All Globlal Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com
  • CN=Offline Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com

You might additionally need to reset the permissions for these containers as well

  • CN=Addressing,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com
  • CN=Address-Templates,CN=Addressing,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com
  • CN=Address-Types,CN=Addressing,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com
  • CN=Display-Templates,CN=Addressing,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com

Once you have reset the following containers all objects should have the following permissions:

CN=Address Lists Container and CN=Offline Address Lists Container
Authenticated Users: Special Permissions: List Contents

CN=Default Global Address List Permissions
Authenticated Users: Read and Open Address List

All Global Address List permissions should be as followed:

Authenticate Users Allow Aces - "Read", "Open Address List", "List Contents"
Exchange Servers Allow Aces - "Read", "Open Address List"
SYSTEM Allow Aces - "Read", 'Write", "Create All Child Objects", "Delete All Child Objects", "Open Address List"

If you are using Exchange 2007 you can use the Exchange 2007 Scripting Console.

1. First you need to set the container by typing the following: $container = "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com"

2. You need to add the access rights for the Authenticated Users by running the following command: Add-ADPermission $container -User "Authenticated Users" -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book

Once you run this command you will see the following output listed below:

Identity User Deny Rights
\Default Global A... Domain\Authenticated Users False Open-Address-Book
\Default Global A... Domain\Authenticated False ReadProperty
\Default Global A... Domain\Authenticated False ListObject, GenericExecute
\Default Global A... Domain\Authenticated False ListChildren

Once this has been done you then should be read to follow the white paper to begin segregating your company.

Dave