Isolating the GAL in Multi-Tenant Exchange Environments
In Exchange environments where the server manages multiple independent companies (multi-tenant configuration) or different divisions of a large organization, it may be necessary to restrict access to the shared GAL (Global Address List). This list includes all email addresses within the domain, and its visibility could compromise privacy between different tenants.
The following procedure allows you to disable the visibility of the default GAL for all users, while still allowing them to access their own address books.
Procedure to Disable the GAL
Prerequisites
You must log into the Exchange 2010 server with an account that has Domain Administrator privileges.
Modifying GAL Permissions via ADSI Edit
- Launch the adsiedit.msc tool.
- Connect using “Configuration” as the connection point.
- Navigate to the following LDAP path:
CN=All Global Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=acs-hosting,DC=local - Right-click on All Global Address Lists and select Properties.
- Go to the Security tab and remove or disable the read permissions for the Everyone or Authenticated Users group.
Warning
Disabling GAL access is a global setting: no users will be able to view it. Make sure alternative address books are configured for each group or company so users can still access relevant contacts.
Reference Screenshots
Below are some screenshots illustrating the steps described:
