Exchange 2010 SP1 Restricting Address Lists in Outlook

In a previous post, we described how administrators can restrict Address Lists for Exchange 2010 OWA users by editing the msExchQueryBaseDN attribute for a user.  However, what if we want to restrict address lists in Outlook?  Unfortunately, Exchange 2010 SP1 Mangement Console does not provide a good way to restrict who sees address lists.  You would think there would be an easy way to just “right click” on an address list and select permissions and simply select who has access.  It is simply not available in the Management Console.  There are a couple of different approaches that we can take to “restrict” the address lists.

• We can actually restrict a user even being able to add an address list to the recipient field or even see the address list in available address lists in Outlook
• We can allow a user to add the recipients in the recipient field and then restrict messages actually being sent to the distribution groups they are attached to

Using ADSIEDIT to restrict permissions to an address list:

Open ADSIEDIT and navigate to your “Configuration” container, “Services, Microsoft Exchange, Address Lists Container, All Address Lists”  Here you will see a listing of all your address lists available to exchange.

Process to restrict by group:

• First, create a group that you can use to restrict the address list
• Right-click on the address list you want to restrict from being viewed
• Click on the security tab
• Add in the group you created, and select the “Deny Read” permission for that group

The above steps will effective keep someone from even being able to see the address list in Outlook.  There may be a time period before the address lists are pulled back down in Outlook that they will still be able to see the address list, but when a denied user clicks on it, it will display a “bookmark is invalid” error.  Either way, the list is restricted.

Deny Message flow settings on a Distribution Group

Another effect way to achieve address restriction is by altering the “Message Delivery Restrictions” on a Distribution Group.  A user will still be able to “Add” the group to the “To…” field, however, when they send the message, they will receive a NDR message back detailing that the group is a “Restricted Group.”

• Under Receipient Configuration > Distribution Group
• Right-click the Distribution group you want to restrict and alter the settings of either the “Only Senders in the following List” or the “Reject Messages From” list.

Final Thoughts:

At some point, an Exchange admin is going to be asked to restrict access to address lists in his/her environment.  Hopefully in future versions of Exchange Microsoft will make this easier for administrators in the Management Console to simply add permissions and be done with it.  However, it is not quite that easy in Exchange 2010, however, it is not that difficult either.  By using ACLs in ADSIEDIT or by using Distribution groups to restrict message flow, this can be effectively done without much hassle.