Introduction

The artcile discusses about cross site framing or clickjacking for your Outlook Web Access webpage and how to prevent it. It is possible to embed the Outlook Web Access application pages into another application that does not belong to the same domain by inserting the application URL to an HTML iFrame tag. This may indicate that the application is vulnerable to cross-site framing or UI attacks.

Issue

When you use the following HTML code you will be able to embed the OWA webpage abc.com into another webpage as show below.

<html>

<head><b>This is test Page</b>></br></head>

<body>

</br>

<iframe src=”https://abc.com/” width=”800″ height=”600″></iframe>

</body>

</html>

Resolution

To prevent cross site framing of your OWA URL that is hosted on your CAS Server, you can implement some settings on the IIS Component. Below are the steps.

Open your CAS server IIS Manager.

1. On the IIS Manager browse to Sites > Default Web Site> HTTP Response Headers.

2. Click on Add

4, On the Name field type X-Frame-Options , and on Value type SAMEORIGIN.

5. Below HTTP Response Header will be created.

6. You need to create such entries for each website in IIS Manager to prevent ClickJacking.

7. Restart IIS for the changes to take effect.

Testing on Solution Implementation

Open the website using the above HTML code should give the following result.

Conclusion

The above steps and settings will ensure that when your Outlook Web Access webpage is opened from an iframe it will prevent UI redressing attacks. Below link contains more information on Clickjackinghttp://en.wikipedia.org/wiki/Clickjacking

http://msexchangeguru.com/2012/08/09/e2013-mailflow/

Deployment Considerations for Windows To Go

From the start, Windows To Go was designed to minimize differences between the user experience of working on Windows 8 from a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs. The following sections discuss the boot experience, deployment methods, and tools that you can use with Windows To Go.

• Initial Boot Experiences
  
  
• Image deployment and drive provisioning considerations
  
  
• Application installation and domain join
  
  
• Management of Windows To Go using Group Policy
  
  
• Supporting booting from USB
  
  
• Roaming between different firmware types
  
  
• Configuring Windows To Go Startup Options
  
  
• Changing firmware settings
  
  

Initial Boot Experiences

---

The following diagrams illustrate the two different methods you could use to provide Windows To Go drives to your users. The experiences differ depending on whether the user will be booting the device initially on-premises or off-premises:

When a Windows To Go workspace is first used at the workplace, the Windows To Go workspace can be joined to the domain through the normal procedures that occur when a new computer is introduced. It obtains a lease, applicable policies are applied and set, and user account tokens are placed appropriately. BitLocker protection can be applied and the BitLocker recovery key automatically stored in Active Directory Domain Services. The user can access network resources to install software and get access to data sources. When the workspace is subsequently booted at a different location either on or off premises, the configuration required for it to connect back to the work network using either Direct Access or a virtual private network connection can be configured. It is not necessary to configure the workspace for offline domain join. Direct Access can make connecting to organizational resources easier, but is not required.

When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee’s home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized.

Tip
Applying BitLocker Drive Encryption to the drives before provisioning is a much faster process than encrypting the drives after data has already been stored on them due to a new feature called used-disk space only encryption. For more information, see What’s New in BitLocker.

DirectAccess can be used to ensure that the user can login with their domain credentials without needing a local account. For instructions on setting up a Direct Access solution, for a small pilot deployment see Deploy a Single Remote Access Server using the Getting Started Wizard for a larger scale deployment, see Deploy Remote Access in an Enterprise. If you do not want to use Direct Access as an alternative users could log on using a local user account on the Windows To Go workspace and then use a virtual private network for remote access to your organizational network.

Image deployment and drive provisioning considerations

---

The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. A user must have local administrator access and access to a Windows 8 Enterprise image to create a Windows To Go workspace or you must be using System Center Configuration Manager 2012 Service Pack 1 to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 8 Enterprise image (WIM) and turns it into a Windows To Go drive.

The simplest way to provision a Windows To Go drive is to use the Windows To Go Creator. After a single Windows To Go workspace has been created, it can be duplicated as many times as necessary using widely available USB duplicator products as long as the device has not been booted. Once the Windows To Go drive is initialized, it should not be duplicated. Alternatively, Windows To Go Workspace Creator can be run multiple times to create multiple Windows To Go drives.

Tip

When you create your Windows To Go image use sysprep /generalize, just as you do when deploying Windows 8 to a standard PC. In fact, if appropriate, use the same image for both deployments. Windows 8 includes most of the drivers that you will need to support a wide variety of host computers. However, you will occasionally need to download drivers from Windows Update to take advantage of the full functionality of a device. If you are using Windows To Go on a set of known host computers, you can add any additional drivers to the image used on Windows To Go to make Windows To Go drives more quickly usable by your employees. Especially ensure that network drivers are available so that the user can connect to Windows Update to get additional drivers if necessary.

Application installation and domain join

---

Unless you are using a customized Windows 8 image that includes unattended installation settings, the initial Windows To Go workspace will not be domain joined and will not contain applications. This is exactly like a new installation of Windows 8 on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications

Management of Windows To Go using Group Policy

---

In general, management of Windows To Go workspaces is same as that for desktop and laptop computers. There are Windows To Go specific Group Policy settings that should be considered as part of Windows To Go deployment. Windows To Go Group Policy settings are located at \\Computer Configuration\Administrative Templates\Windows Components\Portable Operating System\ in the Local Group Policy Editor. The use of the Store on Windows To Go workspaces is also controlled by Group Policy. This policy setting is located at \\Computer Configuration\Administrative Templates\Windows Components\Store\ in the Local Group Policy Editor. The policy settings have specific implications for Windows To Go that you should be aware of when planning your deployment:

Settings for workspaces

• Allow hibernate (S4) when started from a Windows To Go workspace
  
  This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it is important that the hardware attached to the system, as well as the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace is not being used to roam between host PCs.
  
  

  Important
  For the host-PC to resume correctly when hibernation is enabled the Windows To Go workspace must continue to use the same USB port.

• Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace
  
  This policy setting specifies whether the PC can use standby sleep states (S1-S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it is shut down. It could be very easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace cannot use the standby states to cause the PC to enter sleep mode. If you disable or do not configure this policy setting, the Windows To Go workspace can place the PC in sleep mode.
  
  
• Allow Store to install apps on Windows To Go workspaces
  
  This policy setting allows or denies access to the Store application from the Windows To Go workspace. If you enable this setting, access to the Store application is allowed on the Windows To Go workspace. You should only enable this policy setting when the Windows To Go workspace will only be used with a single PC. When roaming Windows To Go devices to multiple PCs, installing applications from the Store is not a supported scenario. However, IT Pro side-loaded Windows Runtime-based line of business (LOB) apps can run in Windows To Go workspaces even when roamed between multiple PCs. If you disable or do not configure this policy setting, access to the Store application is denied on the Windows To Go workspace.
  
  

Settings for host PCs

1. Windows To Go Default Startup Options
   
   This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users will not be able to make changes using the Windows To Go Startup Options settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the Windows To Go Startup Options settings dialog.
   
   

   Important
   Enabling this policy setting will cause PCs running Windows 8 to attempt to boot from any USB device that is inserted into the PC before it is started.

Supporting booting from USB

---

The biggest hurdle for a user wanting to use Windows To Go is configuring their computer to boot from USB. This is traditionally done by entering the firmware and configuring the appropriate boot order options. To ease the process of making the firmware modifications required for Windows To Go, Windows 8 includes a feature named Windows To Go Startup Options that allows a user to configure their computer to boot from USB from within Windows-without ever entering their firmware, as long as their firmware supports booting from USB.

Note

Enabling a system to always boot from USB first has implications that you should consider. For example, a USB device that includes malware could be booted inadvertently to compromise the system, or multiple USB drives could be plugged in to cause a boot conflict. For this reason, the Windows To Go startup options are disabled by default. In addition, administrator privileges are required to configure Windows To Go startup options.

If you are going to be using a Windows 7 computer as a host-PC, see the wiki article Tips for configuring your BIOS settings to work with Windows To Go.

Roaming between different firmware types

---

Windows supports two types of PC firmware: Unified Extensible Firmware Interface (UEFI), which is the new standard, and legacy BIOS firmware, which was used in most PCs shipping with Windows 7 or earlier version of Windows. Each firmware type has completely different Windows boot components that are incompatible with each other. Beyond the different boot components, Windows supports different partition styles and layout requirements for each type of firmware as shown in the following diagrams.

This presented a unique challenge for Windows To Go because the firmware type is not easily determined by end-users-a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware.

To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The /f option is used with the bcdboot /s command to specify the firmware type of the target system partition by appending either UEFI, BIOS or ALL. When creating Windows To Go drives manually you must use the ALL parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command bcdboot C:\windows /s H: /f ALL. The following diagram illustrates the disk layout that results from that command:

This is the only supported disk configuration for Windows To Go. With this disk configuration, a single Windows To Go drive can be booted on computers with UEFI and legacy BIOS firmware.

Configuring Windows To Go Startup Options

---

Windows To Go Startup Options is a setting available on Windows 8 PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options you must have administrative rights on the computer and the Windows To Go Default Startup Options Group Policy setting must not be configured.

To configure Windows To Go Startup Options

---

1. On the Start screen, type, type Windows To Go Startup Options, click Settings and then press Enter.

   

2. Select Yes to enable the startup options.

   Tip
   If your computer is part of a domain, the Group Policy setting can be used to enable the startup options instead of the dialog.

3. Click Save Changes. If the User Account Control dialog box is displayed, confirm that the action it displays is what you want, and then click Yes

Changing firmware settings

---

If you choose to not use the Windows To Go Startup Options or are using a PC running Windows 7 as your host computer you will need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7 you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you do not suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode.

Classifying Junk email for many organizations is a crutial job for Email Managers. There are lot of solutions and products in the market to filter and tag incoming email as Spam before it reaches your Exchange servers. Exchange and Outlook can work together to classify some emails as spam as well. This happens after the filtering has been done by the Internet Antispam servers.

However, this mechanism is not full proof and a lot of genuine emails can be categorized as spam and deposit in your Junk Email folder. For Outlook users this can be really frustrating as the email needing urgent attention can sit in the Junk Email folder unseen for days, resulting in loss of revenue for the organization.

As a result a lot of organization want to disable this feature of Junk Email filtering in Exchange 2010 so that all emails are deposited on the user’s Inbox and let the user decide which they want to categorize as Junk email.

How to check Junk Email filtering in Exchange 2010

Run the command on Exchange Management Shell to determine whether the mailbox has Junk Email filtering enabled.

Get-MailboxJunkEmailConfiguration -identity “Mailbox Alias”

As you can see the Enabled parameter is True. Which means Junk Email Filtering is enabled for the user.

When a Spam Email comes to the mailbox the feature will categorize the email according to the Sender Confidence Level (SCL) score.

The Sender Confidence Level (SCL) score will cause an email to be delivered to the Junk Email folder of a mailbox instead of the Inbox. SCL is scored from 0-9 with 9 being the most likely to be spam. By default the SCLJunkThreshold is set to 4.

There are also a series of SCL thresholds configured on the Content Filter Agent.

With the default settings shown above a spam message that scores an SCL higher than 7 will be rejected by the Transport server. A spam message that scores an SCL higher than 4 but not more than 7 will be sent to the mailbox Junk Email folder.

How to disable Junk Email Filtering for Mailbox

To disable Junk Email for individual Mailbox run the command below.

Set-MailboxJunkEmailConfiguration -Identity “Mailbox Alias” -Enabled $false

To verify you can use the Get-MailboxJunkEmailConfiguration command

Once this is disabled all Junk Categorized emails will be deposited in the user’s Inbox.

UserControls and Block Sender in Outlook Client

After these changes the user will want to block certain emails that come to the Inbox. The user will need to use “Block Sender” option from Outlook Cleint as shown below.

This is a way to let the user control the Junk Emails categorization and not to miss important emails that need urgent attention.

Conclusion

The article details how the administrator can let the user control Junk Email filtering from Outlook client rather than the Excahnge server decides on the Junk email catergorization.More information can be found in the link http://technet.microsoft.com/en-us/library/dd979780.aspx

http://www.msexchange.org/articles_tutorials/exchange-server-2013/compliance-policies-archiving/exchange-2013-data-loss-prevention-part1.html

Indeed, that new feature is reason enough to upgrade, if you haven’t already — and if you did upgrade, be sure to check it out. When you turn on “do not disturb” (which you do in Settings), your phone suppresses most forms of communication — phone calls, text messages, even Facebook and Twitter notifications.

The effect: When enabled, your phone won’t light up or vibrate at all, so you can get through a meeting or go to bed without being disturbed by the outside world. But all of those notifications get captured and appear in the Notification Center when you turn on your phone’s display.

You can configure “Do not disturb” to do its thing on a schedule, or you can simply turn it on and off as needed. You can also specify certain favorite contacts — called VIPs — who can get through to you even if your phone is in “do not disturb” mode. (Email from VIPs also get special treatment thanks to their own inbox.)

All that is great, but there’s a new, related option. When a call comes in, you can choose to answer or ignore it, as usual, or you can immediately reply with a text message. You can also ask your iPhone to remind you about the call later — either at a specific timer, or when you leave your current location (as measured by your phone’s GPS).

Of all the great new features in the recently released iOS 6, my favorite has to be Do Not Disturb. It provides dual functionality. First, it lets you silence – on demand – all calls, alerts, and notifications. Secondly, it lets you establish a time period when you do not want to be disturbed so that you and others (like my wife and goldfish)…well, won’t be disturbed.

A very small number of apps incorporate this feature internally, but now it’s available as part of iOS. Let’s examine how to enable and use the new Do Not Disturb feature in iOS 6 installed on your iPhone, iPad and iPod touch.

First, a caveat for you: The Do Not Disturb feature does not silence an alarm set in Apple’s Clock app! This is actually a desirable feature, but be aware of it.

To enable Do Not Disturb, tap Settings. You will find the new Do Not Disturb control near the top. This is pretty straightforward. When the switch is set to ON, and the device is locked, all sound alerts, vibrations, phone rings, LED alerts, and screen wake with alerts are all disabled. Simply put, your device will do nothing to disturb your peace.

The new Do Not Disturb control is located in Settings.

There are two exceptions. The first, as mentioned before, an alarm set via Apple’s Clock will go off. Also, there are settings that will allow certain incoming calls to ring. I’ll cover this aspect shortly.

Now, let’s look at your other options. Just below the Do Not Disturb control, tap Notifications. This puts you into the Notifications Center. Next, tap on Do Not Disturb to take you to that feature’s settings pane.

The Notifications Panel leads to additional Do Not Disturb settings.

There are three settings you can configure here.

First, tapping on the Scheduled on/off switch will allow you to set a range of time when you do not wish to be disturbed-all calls and alerts are silenced. Incoming calls are sent to voicemail. Notifications will accumulate, without activating the screen, for you to peruse later. In the illustration, you can see that my quiet hours are between 12:30 AM and 6:30 AM.

Next, there is a control called Allow Calls From where you can choose between “Everyone,” “No One,” or “Favorites.” You also have the option of allowing calls only from any of your contacts, or only from members of specific groups configured in your Contacts app.

This means that you can create a special group of contacts for the purpose of allowing their calls through during the Do Not Disturb period. The Favorites listed in the top section refers to the Favorites list of contacts that you configure in the Phone app.

You may be wondering how things differ on the iPad and iPod touch since phone ring issues don’t apply. On these devices the Do Not Disturb controls govern the use of FaceTime as well as all other alerts.

Finally, back in the Do Not Disturb settings, you’ll see a Repeated Calls switch. When this switch is ON, a second call from the same person within three minutes will ring. This accommodates emergency situations where someone is calling you repeatedly until you pick up the call.

I suggest you don’t advertise this to your contacts. There’s always that one goofy uncle who, armed with that knowledge, will surely pester you with calls at all hours. (Heh, heh… I’m the goofy uncle in my family!)

Keep in mind that the ad-hoc Do Not Disturb switch at the top page of Settings is completely independent of the second set of Do Not Control settings. It is NOT a master switch. In other words, the settings for Scheduled, Allow Calls From, and Repeated Calls will prevail, no matter what.

If you see the quarter-moon in the screen’s status bar, Do Not Disturb is enabled.

I almost forgot to tell you that you can quickly view the status of your Do Not Disturb setting. When it’s enabled, an icon depicting a quarter-moon will appear to the left of the current time in the status bar at the top of the screen.

In conclusion, I’m sure you’ll agree with me that Do Not Disturb is an awesome new feature. Be careful, though. All bets are off when you are actively working on your device or its otherwise unlocked while Do Not Disturb is enabled. All alerts will activate until you lock the device. You could use the Ring/Silent switch, but that still lets vibrations through. Setting the device in Airplane Mode doesn’t prevent local app alerts from sounding. And-as if I haven’t stressed this enough-clock alarms will ring when your device is in Do Not Disturb mode and/or Silent mode enabled via the Ring/Silent switch.

In the last 2 parts of the article we discussed how to prepare the 2 organization SinCorp and BinCorp for the GAL segregation in the same Exchange Organization. In this article we will take a look from the Client side how the users will be able to see the changes on the Global Address Book.

In Organization A SinCorp we have the following users and groups

Test User01,Test User 02 and Group SIN

In Organization B BinCorp we have the following users and groups

Test User04,Test User 05 and Group BIN

Before we implemented the changes in the last 2 part of the articles Test User01 and Test User04 from different organizations will view the Outlook Address Book as shown below.

View After Changes in GAL Segregation for SINCORP Users

After the changes have been implemented Test User01 from SinCorp will see the Outlook Address book as below. As you can see only Users and Groups from SinCorp are now visbile.

Outlook Address Book

Below will be the OWA address book view for SinCorp Users

View After Changes in GAL Segregation for BINCORP users

After the changes have been implemented Test User04 from BinCorp will see the Outlook Address book as below. As you can see only Users and Groups from BinCorp are now visbile.

Outlook Address Book

Below will be the OWA address book view for BinCorp Users

Conclusion

As you can see both organizations have been segregated from viewing each others Users and Groups although they are hosted on the same Server. This show how this Address Book Policy feature in Exchange 2010 SP2 is useful to large organizations who may have gone through a merger or aquistions, or to Exchange hosting companies who use the same hardware to service multiple organizations.This feature can be used in multiple scenarios. You can do more read up on more scenarios of this feature and its implementation on Microsoft Website in the link http://technet.microsoft.com/en-us/library/jj657455.aspx

In part 1 of the article we went through the steps of preparing Organization A users in SinCorp for GAL segregation.In part 2 of the article we went through the steps of preparing Organization B users in BinCorp for GAL segregation.

We will use CustomAttribute 2 for BinCorp as BIN. Below are the detailed steps.

1. Creating a Global Address list for BinCorp

You can only use EMS to create GALs. (Tip: Launch EMS using Run as Administrator)

New-GlobalAddresslist “BINCORP” -ConditionalCustomAttribute2 “BIN” -IncludedRecipients “AllRecipients”

Where users with CustomAttribute 2 with value “BIN” will be included in this GAL.

2. Creating an Address list for BinCorp

In EMC go to Organization Configuration > Mailbox > Address Lists

Create new Address List name called BINCORP AL

Choose All Recipient type and Container as Users.

Choose the Custom Attribute 2 as BIN.

Apply the changes immediately and Pres New to create the Address List.

Below shows the Address List that we just created.

3. Creating an Offline Address Book for BinCorp

Use EMS to create the OAB. Dont use the EMC to do this as you wont be able to add the newly created GAL for BINCORP.

New-OfflineAddress Book -Name “BINCORP OAB” -AddressLists “BINCORP”

If you have Public Folders you can click on the option using GUI in the EMC

4. Creating a Room List for BinCorp

New-AddressList -Name BINCORP-Rooms -RecipientFilter {(Alias -ne $null) -and (CustomAttribute2 -eq “BIN”)-and (RecipientDisplayType -eq “ConferenceRoomMailbox”) -or (RecipientDisplayType -eq “SyncedConferenceRoomMailbox”)}

5. Create Address Book Policy for BinCorp

Go to EMC and open Organization Configuration> Mailbox > Address Book Policies

Create a New Address Book Policy and select the Global address list, OAB , Room List and Address Lists created above.

Click New. You should now see the BINCORP ABP created.

Applying Custom Attribute for SinCorp

Now we will assign the Custom Attributes for the Users and Distribution Groups that need to be part of the BINCORP GAL.

We can achieve this in several ways.Directly editing each User and Group’s custom attribute.or using EMS.

Directly editing each User and Group’s custom attribute shown below.

Using EMS you can do it by executing the commands

i. For individual mailbox

Get-mailbox “Test User04″ | Set-mailbox -customattribute2 “BIN”

ii.To apply for all the mailboxes

Get-mailbox | Set-mailbox -customattribute2 “BIN”

iii. To apply for the Users in a Specific Mailbox Database

Get-mailbox -database “Database Name” | Set-mailbox -customattribute2 “BIN”

To Apply for a Distribution group

Get-DistributionGroup “Group BIN” | Set-Distributiongroup -customattribute2 “BIN”

Applying AddressBook Policy for SinCorp

We are now ready to apply the Address Book Policy for a specific users.

Go to EMC – Recipient Configuration – Mailbox – Properties of User Mailbox – Mailbox Settings – Address Book Policy

As shown below.

You can apply the policy to all users in a mailbox database using the EMS command below

Get-mailbox -Database “Database Name” | set-mailbox -addressbookpolicy “BINCORP ABP”

This makes BINCORP ready for our GAL Segregation. In there 2 parts article we have made the 2 organizations SinCorp and BinCorp ready for GAL segregation. In Part 3 of the article we will view the changes to the GAL as a result of the changes.

Exchange 2010 SP2 has a new feature called Global address list (GAL) segmentation (also known as GAL segregation) whereby administrators can segment users into specific groups to provide customized views of their organization’s GAL. In Exchange Server 2007 and earlier, segmenting the GAL was complicated, requiring you to use either a Query Base DN (which acted as a root for directory searches) or access control lists (ACLs) to allow or deny access to each address list.

To accomplish GAL Segregation process, Exchange Server 2010 Service Pack 2 (SP2) introduces address book policies (ABPs). When creating an ABP, you assign a GAL, an offline address book (OAB), a room list, and one or more address lists to the policy. You can then assign the ABP to mailbox users, providing them with access to a customized GAL in Outlook and Outlook Web App. This provides a simpler mechanism to accomplish GAL segmentation for on-premises organizations that require multiple GALs.

Scenario : This artcile covers GAL segregation based on the scenario for 2 organizations hosted on the same server and which do not want to see each other GALs.

We will use Custom Attributes to segregate object propereties in the GALs.

Name of organiaztion A: SINCORP

Custom Attribute for organiaztion A: SIN

Name of organiaztion B: BINCORP

Custom Attribute for organiaztion B: BIN

For GAL segregation we need to create the following for each Organization.

1. Global Address List

2. Addres Lists

3. Offline Address Book

4. Room Lists

5. Address Book Policy

1. Creating a Global Address list for SinCorp

You can only use EMS to create GALs. (Tip: Launch EMS using Run as Administrator)

New-GlobalAddresslist “SINCORP” -ConditionalCustomAttribute1 “SIN” -IncludedRecipients “AllRecipients”

Where users with CustomAttribute 1 with value “SIN” will be included in this GAL.

2. Creating an Address list for SinCorp

In EMC go to Organization Configuration > Mailbox > Address Lists

Create new Address List name called SINCORP AL

Choose All Recipient type and Container as Users.

Choose the Custom Attribute 1 as SIN.

Apply the changes immediately and Pres New to create the Address List.

Below shows the Address List that we just created.

3. Creating an Offline Address Book for SinCorp

Use EMS to create the OAB. Dont use the EMC to do this as you wont be able to add the newly created GAL for SINCORP.

New-OfflineAddress Book -Name “SINCORP OAB” -AddressLists “SINCORP”

If you have Public Folders you can click on the option using GUI in the EMC

4. Creating a Room List for SinCorp

New-AddressList -Name SINCORP-Rooms -RecipientFilter {(Alias -ne $null) -and (CustomAttribute1 -eq “SIN”)-and (RecipientDisplayType -eq “ConferenceRoomMailbox”) -or (RecipientDisplayType -eq “SyncedConferenceRoomMailbox”)}

5. Create Address Book Policy for SinCorp

Go to EMC and open Organization Configuration> Mailbox > Address Book Policies

Create a New Address Book Policy and select the Global address list, OAB , Room List and Address Lists created above.

Click New. You should now see the SINCORP ABP created.

Applying Custom Attribute for SinCorp

Now we will assign the Custom Attributes for the Users and Distribution Groups that need to be part of the SINCORP GAL.

We can achieve this in several ways.Directly editing each User and Group’s custom attribute.or using EMS.

Directly editing each User and Group’s custom attribute shown below.

Using EMS you can do it by executing the commands

i. For individual mailbox

Get-mailbox “Test User01″ | Set-mailbox -customattribute1 “SIN”

ii.To apply for all the mailboxes

Get-mailbox | Set-mailbox -customattribute1 “SIN”

iii. To apply for the Users in a Specific Mailbox Database

Get-mailbox -database “Database Name” | Set-mailbox -customattribute1 “SIN”

To Apply for a Distribution group

Get-DistributionGroup “Group SIN” | Set-Distributiongroup -customattribute1 “SIN”

Applying AddressBook Policy for SinCorp

We are now ready to apply the Address Book Policy for a specific users.

Go to EMC – Recipient Configuration – Mailbox – Properties of User Mailbox – Mailbox Settings – Address Book Policy

As shown below.

You can apply the policy to all users in a mailbox database using the EMS command below

Get-mailbox -Database “Database Name” | set-mailbox -addressbookpolicy “SINCORP ABP”

This makes SINCORP ready for our GAL Segregation. In the next part of the article we will discuss how to make BINCORP ready for GAL Segregation.

http://www.howexchangeworks.com/2012/10/how-to-delete-contents-in-recoverable-items-folder.html