PSS ID Number: 318635
Article Last Modified on 4/2/2004
The information in this article applies to:
- Microsoft Exchange 2000 Server
This article was previously published under Q318635
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
Table of Contents
- SUMMARY
- Overview
- Add the User Principal Name Suffix of the Hosted Company
- Create an Organizational Unit for the Hosted Company
- Create a Recipient Policy for the Hosted Company
- Create a Global Address List for the Hosted Company
- Create an Address List for the Hosted Company
- Create an Offline Address List for the Hosted Company
- Remove Existing Default Address Lists
- Rebuild the Domain Recipient Update Service
- Restrict Outlook Web Access Lookups
- Restrict Offline Address Book Access
- Configure Security on the All Address Lists Container
- REFERENCES
SUMMARY
This article discusses how to configure Microsoft Exchange 2000 Server in an e-mail hosting environment. When you use Exchange 2000 in a hosting environment, you must create multiple Global Address Lists. The address lists typically have different user accounts listed in them based on a Lightweight Directory Access Protocol (LDAP) filter that you create.
By default, all the users who are in an Exchange 2000 organization can view all the defined Global Address Lists. This is not acceptable for companies that serve as e-mail hosts for other companies. However, you can permit only a particular set of users to view and to use particular address lists. This article describes how to create Global Address Lists and how to configure security settings on them to make them viewable only by specific groups.
back to the top
Overview
This article discusses the following issues:
- How to create a separate Global Address List for each hosted company.
- How to make a distribution group appear in the Global Address List.
- How to restrict Microsoft Outlook Web Access (OWA) to perform lookups for people in a respective organizational unit.
- How to create a specific Offline Address List for each hosted company.
Note These steps apply to multiple organizational units that have mailboxes that are in the same information store, or to multiple organizational units where each unit has its mailbox in a separate information store.
This article uses the extensionAttribute attribute to differentiate the different hosted companies that are on your Exchange server. For the examples that are in this article, extensionAttribute10 is used, with the value of test. The example hosted company (virtual organization) is Contoso, and the hosted company's user principal name (UPN) is contoso.com.
back to the top
Add the User Principal Name Suffix of the Hosted Company
Configure your Microsoft Active Directory directory service domain with the user principal name (UPN) suffix of the company that you want to host in Exchange. To do so, follow these steps:
- On a domain controller, start Active Directory Domains and Trusts.
- Right-click Active Directory Domains and Trusts, and then click Properties.
- In the Alternative UPN suffixes box, type the UPN suffix of the hosted company. For example, type
contoso.com
. - Click Add, and then click OK.
- Quit Active Directory Domains and Trusts.
Remove Existing Default Address Lists
Remove the existing default address lists from your Exchange server. To do so, follow these steps:
- Start Exchange System Manager.
- Under your organization, expand Recipients, and then click All Address Lists.
- In the right pane, right-click the address list, click Delete, and then click Yes to confirm the removal of the default address list that is installed by Exchange.
- Quit Exchange System Manager.
Create an Organizational Unit for the Hosted Company
Create a new organizational unit where you can store the users from the hosted company. To do so, follow these steps:
- On a domain controller, start Active Directory Users and Computers.
- Right-click your domain, point to New, and then click Organizational Unit.
Note You do not have to create this organizational unit directly under the domain container. You can also create this organizational unit inside another organizational unit. - In the Name box, type the name of the company that you want to host in Exchange. For example, type
Contoso
. Click OK. - In this new organizational unit (
Contoso
), create new accounts for the users of the hosted company or move the user accounts from another location to this organizational unit.
Note Make sure that the User logon name value uses the UPN suffix for the hosted company. For example, make sure that you select @contoso.com
in the list that is next to the User logon name box. Additionally, when you create the Exchange mailbox for each user, select the mailbox store that is specific to the hosted company if you want to host the company mailboxes in a separate mailbox store. - Configure the extensionAttribute10 attribute value for each user account. To do so, follow these steps:
- Right-click a user account, and then click Properties.
- Click the Exchange Advanced tab, and then click Custom Attributes.
Note If the Exchange Advanced tab does not appear, click Cancel, and then click Advanced Features on the View menu in Active Directory Users and Computers. - In the Attribute list, click extensionAttribute10, and then click Edit.
- In the extensionAttribute10 box, type
test
, and then click OK. - Click OK, and then click OK.
- Right-click the organizational unit (for example, right-click
Contoso
), point to New, and then click Group. - In the Group name box, type a descriptive name for this group. For example, type
contoso-DG
. - Under Group scope, click Global, click Distribution under Group type, and then click Next.
- Click to select the Create an Exchange e-mail address check box, click Next, and then click Finish.
- Configure the extensionAttribute10 value for the distribution group. To do so, follow these steps:
- Right-click distribution group, and then click Properties.
- Click the Exchange Advanced tab, and then click Custom Attributes.
- In the Attribute list, click extensionAttribute10, and then click Edit.
- In the extensionAttribute10 box, type
test
, and then click OK. - Click OK, and then click OK.
- Add the hosted company's users to the new global distribution group.
- Right-click the organizational unit, point to New, and then click Group.
- In the Group name box, type a descriptive name for this group. For example, type
Allusers@contoso
. - Under Group scope, click Global, click Security under Group type, and then click Next.
- Click Next, and then click Finish.
- Add the hosted company's users together with the distribution group to the new global security group.
Note The Microsoft Windows 2000-based domain must be running in native mode to add the distribution group to the security group.
Create a Recipient Policy for the Hosted Company
Create a new recipient policy that is based on the extensionAttribute value of the members of the hosted company. To do so, follow these steps:
- On the Exchange server, start Exchange System Manager.
- Under your organization, expand Recipients, right-click Recipient Policies, point to New, and then click Recipient Policy.
- Click to select the E-Mail Addresses check box, and then click OK.
- In the Name box, type a descriptive name for this policy. For example, type All
Contoso
Recipients. - Click Modify, click Custom Search in the Find list, and then click the Advanced tab.
- Type the following LDAP query in the Enter LDAP query box, and then click Find Now:
(&(mailnickname=*)(extensionattribute10=
test
)) - Click OK, and then click OK.
- Click the E-Mail Addresses (Policy) tab, and then click New.
- Click SMTP Address, and then click OK.
- In the Address box, type the hosted company's UPN. For example, type @
contoso.com
. - Click OK.
- In the Generation rules list, click to select the check box of the hosted company's Simple Mail Transfer Protocol (SMTP) address, and then click Set as Primary. The hosted company's SMTP address is bold.
- Click to clear the check box of the default SMTP address. For example, click to clear the @
example.com
SMTP address (whereexample.com
is your domain). - Click OK.
- In the right pane, right-click the new recipient policy that you created, click Apply this policy now, and then click Yes to confirm that the policy is applied.
Create a Global Address List for the Hosted Company
Configure a new Global Address List for the users from the hosted company. To do so, follow these steps:
- In Exchange System Manager, expand Recipients, right-click All Global Address Lists, point to New, and then click Global Address List.
- In the Address List name box, type the name of the hosted company, and then click Filter Rules.
- In the Find list, click Custom Search, click the Advanced tab, type the following LDAP query in the Enter LDAP query box, and then click Find Now:
(&(mailnickname=*)(extensionattribute10=
test
)) - Click OK, and then click Finish.
- Right-click the new Global Address List that you created, and then click Properties.
- Click the Security tab, click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click Copy when you are prompted.
- In the Name list, click Authenticated Users, and then click Remove.
- In the Name list, click Everyone, and then click Remove.
- Click Add, and then add the
Allusers@contoso
security group that you created in steps 12 through 15 of the "Create an Organizational Unit for the Hosted Company" section of this article. - Assign the
Allusers@contoso
security group the following Allow permissions in the Permissions list:Read
Execute
Read permissions
List contents
Read properties
List object
Open Address ListClick to clear all other check boxes that are in the Allow column for the
Note You cannot remove the check mark from the Write check box until you click to clear the Write properties check box.Allusers@contoso
security group.
- Click Apply, click Yes in the message dialog box that states that Deny entries take priority over Allow entries, and then click OK.
Create an Address List for the Hosted Company
Create a new address list for the users from the hosted company. To do so, follow these steps:
- In Exchange System Manager, expand Recipients, right-click All Address Lists, point to New, and then click Address List.
- In the Address List name box, type the name of the hosted company (for example, type
Contoso AL
), and then click Filter Rules. - In the Find list, click Custom Search, click the Advanced tab, type the following LDAP query in the Enter LDAP query box, and then click Find Now:
(&(mailnickname=*)(extensionattribute10=
test
)) - Click OK, and then click Finish.
Create an Offline Address List for the Hosted Company
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Create a new offline address list for the users from the hosted company. To do so, follow these steps:
- In Exchange System Manager, expand Recipients, and then click Offline Address Lists.
- In the right pane, right-click Default Offline Address List, click Delete, and then click Yes to confirm the removal of the default offline address list.
- In the left pane, right-click Offline Address Lists, point to New, and then click Offline Address List.
- In the Offline address list name box, type the name of the hosted company (for example, type
Contoso AL
). - Click Browse, and then click your LDAP server. For example, locate a domain controller (global catalog server), and then click OK.
- Click Next.
- In the Select which Address Lists to include in this Offline Address List list, remove all address lists except the
Contoso
address list that you created. To do this, click an address list, and then click Remove. - Click Next, click Next on the page that describes when the offline address list will be created, and then click Finish.
- Right-click the new offline address list, and then click Properties.
- Click the Security tab. If the security tab does not appear, edit the Windows registry to make this tab appear. To do so, follow these steps:
- Click Start, click Run, type regedt32, and then click OK.
- Locate and then click the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Exchange\EXAdmin
- On the Edit menu, click Add Value.
- In the Value Name box, type ShowSecurityPage.
- In the Data Type list, click REG_DWORD, and then click OK.
- In the Data box, type 1 (one), and then click OK.
- Quit Registry Editor.
Note This registry change is effective immediately. You do not have to restart the computer.
- Click to clear the Allow inheritable permissions from parent to propagate to this object check box, and then click Copy when you are prompted.
- In the Name list, click Authenticated Users, and then click Remove.
- In the Name list, click Everyone, and then click Remove.
- Click Add, and then add the
Allusers@contoso
security group that you created in steps 12 through 15 of the "Configure an Organizational Unit for the Hosted Company" section of this article. - Assign the
Allusers@contoso
security group the following Allow permissions in the Permissions list:Read
Execute
Read permissions
List contents
Read properties
List object
Open Address ListClick to clear all the other check boxes that are in the Allow column for the
Note You cannot remove the check mark from the Write check box until you click to clear the Write properties check box.Allusers@contoso
security group.
- Click Apply, click Yes in the message dialog box that states that Deny entries take priority over Allow entries, and then click OK.
- Right-click the
Contoso
offline address list, and then click Rebuild. - Click Yes to confirm the rebuild operation.
Rebuild the Domain Recipient Update Service
Rebuild the Recipient Update Service (RUS) that corresponds to your domain (not to the enterprise RUS). To do so, follow these steps:
- In Exchange System Manager, expand Recipients, and then click Recipient Update Services.
- In the right pane, right-click Recipient Update Service (
YOUR_DOMAIN_NAME
), and then click Rebuild. - Click Yes to continue with the rebuild operation.
- Wait for the changes to be replicated throughout the domain, and then verify that all users and distribution groups from the hosted company (
Contoso
) have their primary SMTP address correctly configured with the hosted company's UPN. For example, the SMTP address for a user atContoso
appears similar to the following:user@contoso.com <mailto:user@contoso.com>
After you complete the previous steps in this article, MAPI clients from the hosted company only have the Global Address List from that hosted company (Contoso
). The Global Address List is made up of the users and distribution groups.
back to the top
Restrict Outlook Web Access Lookups
Restrict Outlook Web Access (OWA) lookup operations for the hosted company's users to members of the hosted company. By default, Outlook Web Access users can still see all users, including those users who are not in the same organizational unit, by using the Find names feature. To prevent this behavior, you must change the msExchQueryBaseDN attribute on each member of the hosted company to point to the hosted company's organizational unit. This limits the scope of a directory service search from OWA. To set the msExchQueryBaseDN attribute on a user object, use one of the following methods:
Method 1: By Using ADSI Edit
Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
- Start the ADSI Edit utility. To do this, click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
ADSI Edit is included with Windows 2000 Support Tools. To install Windows 2000 Support Tools, run Setup.exe from the Support\Tools folder on the Windows 2000 CD-ROM.
- Expand Domain NC, and then expand DC=
your_domain_name
, DC=com
. - Click the organizational unit that you created for the hosted company. For example, click OU=
Contoso
. - In the right pane, right-click a user from the hosted company, and then click Properties.
- In the Select a property to view list, click msExchQueryBaseDN.
- In the Edit Attribute box, type the distinguished name of the hosted company. For example, type ou=
contoso
,dc=your_domain_name
,dc=com
(where contoso is the name of the organizational unit that you created for the hosted company, and where your_domain_name.com is the name of your domain).
Note This distinguished name appears (together with the canonical name [CN] of the user) in the right pane when you click the hosted company's organizational unit.
- Click Set, and then click OK.
- Follow steps 4 through 7 to set the msExchQueryBaseDN attribute for each user in the hosted company.
Method 2: By Using ADModify
Use the ADModify utility to set the msExchQueryBaseDN attribute for each user in the hosted company. To do so, follow these steps.
Note You must be using ADModify 1.5d or later for this method to work.
- Obtain and install the ADModify utility. To obtain ADModify, contact Microsoft Product Support Services (PSS). For additional information about how to contact PSS, visit the following Microsoft Web site:
- Start ADModify.
- Under Select Action, click Modify Existing User Attributes, and then click Next.
- In the Select Domain Controller list, click a domain controller.
- Expand DC=
example
, and then click the hosted company's organizational unit. For example, click OU=Contoso
. - Click Add To List, select all the users, and then click Next.
The Modify Active Directory Users dialog box appears. - Click the Exchange General Continued tab, click to select the Set msExchQueryBaseDN to the following (type null to clear attribute) check box, click the hosted company's address list (not the Global Address List) in the list that appears, and then click Change.
- Click Exit to quit the ADModify utility.
Restrict Offline Address Book Access
When you configure multiple offline address lists for a particular messaging database (MDB) in Exchange 2000 Server, Exchange 2000 Server associates the offline Address Book that a user is permitted to download with the MDB where that user's mailbox is located. This may be unacceptable if you host many smaller companies on a single MDB. Because of this, Exchange 2000 Server functionality was modified in Microsoft Exchange Server 2000 Service Pack 1 (SP1). This modification is also described in Microsoft Knowledge Base article 291222. The modification permits the information store process (Store.exe) to verify the user attribute msExchUseOAB to determine the offline Address Book (that is generated from a particular address list [or lists]) that is meant to be available to each user. When you must host multiple companies on a single MDB and these companies have different offline address lists, restrict the offline Address Book by using the msExchUseOAB attribute. To do this, use one of the following methods:
Method 1: By Using ADSI Edit
Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
- Start the ADSI Edit utility. To do this, click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
ADSI Edit is included with Windows 2000 Support Tools. To install Windows 2000 Support Tools, run Setup.exe from the Support\Tools folder on the Windows 2000 CD-ROM. - Expand Configuration Container [
server.your_domain_name.com
], expand CN=Configuration,DC=your_domain_name
,DC=com
, expand CN=Services, expand CN=Microsoft Exchange, expand CN=OrganizationName
(whereOrganizationName
is the name of your Exchange organization), expand CN=Address Lists Container, and then click CN=Offline Address Lists. - In the right pane, right-click the hosted company's offline address list. For example, right-click CN=
Contoso
. - Click Properties.
- In the Select a property to view list, click DistinguishedName.
- Select the value that is in the Value(s) box, and then press CTRL+C to copy this information to the clipboard. The information appears similar to the following:
CN=
Contoso
,CN=Offline Address Lists,CN=Address Lists Container,CN=OrganizationName
,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=your_domain_name
,DC=com
- Click Cancel.
- Expand Domain NC, and then expand DC=
your_domain_name
, DC=com
. - Click the organizational unit that you created for the hosted company. For example, click OU=
Contoso
. - In the right pane, right-click a user from the hosted company, and then click Properties.
- In the Select a property to view list, click msExchUseOAB.
- Click to put the insertion point in the Edit Attribute box, and then press CTRL+V to paste the distinguished name of the hosted company.
- Click Set, and then click OK.
- Follow steps 10 through 12 to set the msExchUseOAB attribute for each user in the hosted company.
Method 2: By Using ADModify
Use the ADModify utility to set the msExchUseOAB attribute for each user in the hosted company. To do so, follow these steps:
- Obtain and install the ADModify utility. To obtain ADModify, contact Microsoft Product Support Services (PSS). For additional information about how to contact PSS, visit the following Microsoft Web site:
- Start ADModify.
- Under Select Action, click Modify Existing User Attributes, and then click Next.
- In the Select Domain Controller list, click a domain controller.
- Expand DC=
your_domain_name
, and then click the hosted company's organizational unit. For example, click OU=Contoso
. - Click Add To List, select all the users, and then click Next.
The Modify Active Directory Users dialog box appears. - Click the Exchange General Continued tab, click to select the Set msExchUseOAB to the following OAB (type null to clear attribute) check box, click the hosted company's distinguished name, and then click Change.
Note The distinguished name for the hosted company appears similar to the following:CN=
Contoso
,CN=Offline Address Lists,CN=Address Lists Container,CN=OrganizationName
,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=your_domain_name
,DC=com
- Click Exit to quit the ADModify utility.
Configure Security on the All Address Lists Container
Modify the default security settings on the All Address Lists object in Exchange System Manager to permit users from one hosted company to view the name of another hosted company, but not to view the users from that other company. To do so, follow these steps:
- In Exchange System Manager, expand Recipients, right-click All Address Lists, and then click Properties.
- Click the Security tab, and then click Advanced.
- In the Permission Entries list, click the following entry:
Type Name Permission Apply to Allow Authenticated Users List contents This object and subcontainers - Click View/Edit. The Allow check box that corresponds to List contents is the only selected check box.
Note This check box is unavailable. - Click to select the Deny check box that corresponds to the List contents item in the Permissions list, and then click OK.
- Click OK, click Yes in the message dialog box that states that Deny entries take priority over Allow entries, and then click OK.
REFERENCES
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
321723 How to create an address list based on the group membership of users
298911 XWEB: Name resolution does not work correctly in an OWA appointment
272197 XCCC: How to restrict OWA address view searches
280435 XADM: How to create an offline address list that contains a filtered copy of the Global Address List
275203 Offline address book cannot be associated with a particular mailbox
Additional query words: msExchQueryBaseDN kbexchange2000serv (OAB)
Keywords: kbinfo KB318635
Technology: kbExchange2000Search kbExchange2000Serv kbExchange2000ServSearch kbExchangeSearch