Exchange 2010 SP2 : AddressBook Policies Best Practices.

  • Article

There are Different kinds of Recipients in Exchange 2010 . In order to get GAL Separation to work, administrator needs to segregate/filter recipients and define filter in AddressList/GAL. You may have already experienced that the availability of attributes commonly used for recipient query / separation vary from cmdlet to cmdlet. look at the following comparison list you will not be surprised that customer would be greatly confused.

Thus, I'd like to share MY "Best practice" after struggling with all kinds of supported recipients in my lab:

1 == When segregate recipients, do not use precanned Conditional attributes (Company/Department/StateOrProvince), use CustomAttribute1~15 instead

The reasons are:

Not all recipient types of objects have precanned conditional attributes in Active Directory. (e.g. MailDistributionGroup/DyamicDystributionGroup do not have company/department/attributes) NOTE: This is now add DEPT and Company support to DL cmdlets 

Not all precanned conditional attributes are exposed in cmdlets for some recipients (e.g. no company/department/StateOrProvince parameter exposed in setter cmdlet for MailUser/MailContact/MailDistributionGroup/MailPublicFolder)
multiple cmdlets are required to segregate recipient with precanned conditional attribute . (e.g. You need Set-User to tag Company/Department/StateOrProvince for UserMailbox after you run New/Set-Mailbox)
CustomAttributeX are all exposed in SET-* cmdlet for every recipient, we can complete all segregation via single set- cmdlet

2== Design CustomAttributeX to be used, then map CustomAttributeX to meaningful attribute before segregating recipient and creating AL/GAL filter.

You should consider existing usage of some CustomAttributeX attributes. We recommend choose CustomAttributeX in backward order to avoid possible confliction.

For example:

    CustomAttribute15 == Level1: Company

    CustomAttribute14== Level2: Department

    CustomAttribute13== Level3: Location

    CustomAttribute12== Level4: any other preference

3== When create AL/GAL, do not use "IncludedRecipient" and "ConditionalX" parameters, use RecipientFilter instead

Use One parameter with custom filter string: 

      -RecipientFilter:"((Alias -ne $null) -and ((CustomAttribute1 -eq CompanyA) -or (CustomAttribute2 -eq 'Sales') -or (CustomAttribute3 -eq 'anyothercondition –eq ‘abcde')))"

Below involves too many parameters thus complicated and hard to manage:   

     -IncludedRepicipent:'AllRecipients' -ConditionalCompany:’CompanyA’ -ConditionalDepartment:'Sales' -ConditionalCustomAttribute4:’HQOffice’

4== Recommend not rely on Exchange Management Console but use cmdlet

As indicated in the list, attribute settings vary from recipient type to type in EMC. And many attribute/filter cannot be set directly from EMC.

5== Include GAL in "-AddressLists" parameter of New/Set-OfflineAddressBook to ensure no entry is unexpectedly missed

Basically, you can customize entries user would see or OAB size to download by using a bunch of AddressLists in -AddressLists of New/Set-OfflineAddressBook. However, if you are expected full GAL entries in OAB, use GAL in "-AddressLists"

6== If you are not interested in Room Address List, create default empty room address list ("\DefaultEmptyRoomAddressList”) or use default built-in All Rooms address list ("\All Rooms") in -AllRoomList of New-AddressBookPolicy

"-AllRoomList" is a mandatory parameter in New-AddressBookPolicy. You can create a new empty Room Address List like:

New-AddressList -Name:DefaultEmptyRAL -RecipientFilter:{((Alias -ne $null) -and ((RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox')) -and (CustomAttribute1 -eq 'EmptyRoomAddressList'))}

7== Be noted, the default "\All Rooms" will show use all room resource mailboxes.

8== Do not run CAS role on a Global Catalog - doing so results in Active directory being used for NSPI, not the Address Book Service, bypassing all of the logic built in to the feature

9== Do not allow your clients to directly access Active Directory via LDAP. Doing so will bypass all the logic built in to the Address Book Service.

10. The GAL used in an AddressBookPolicy must include all of all the Address lists defined and specified in an ABP. Do not create a GAL’s with fewer objects than the AL's.

11== Any user assigned an ABP must exist in their own GAL. If the user does not exist in the GAL they have been assigned, OWA will display no users in the GAL to that user.

12== The Rooms Address List must also be listed in the Address List to show up in the Outlook drop down list.

13== Any user who is able to run get-group will see all the members of that group, regardless of AddressBookPolicy

-Manju