How to restrict OWA address searches to multiple organizational units (817218)


The information in this article applies to:

  • Microsoft Exchange 2000 Server
  • Microsoft Exchange 2000 Enterprise Server
Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

SUMMARY

This article contains information about how to restrict Microsoft Outlook Web Access (OWA) address searches to more than one organizational unit. It discusses how you can limit the scope of searches that OWA performs to multiple organizational units or to specific address lists.

MORE INFORMATION

In Outlook Web Access, you can view all address lists in Active Directory, regardless of the permissions that are set on the address list. To restrict access so that OWA users can only view the address lists that are contained in their own organizational unit, you can configure the msExchQueryBaseDN attribute for the OWA user by following the steps in the following Microsoft Knowledge Base article:

272197 How to restrict OWA address view searches

The procedure that is discussed in article 272197 restricts OWA address searches to a single organizational unit.

If organizational units use a nested structure, you can also limit the scope of searches that OWA performs to more than one organizational unit or to specific address lists. You can construct an address list as a query and use it to search a single organizational unit or multiple organizational units for addresses that meet a certain criteria.

For example, consider a scenario where all the following conditions are true:
  • An Active Directory domain has the following organizational unit structure:

    DC=Organization,DC=com
    OU=Division,DC=Organization,DC=com
    OU=Department,OU=Division,DC=Organization,DC=com
    OU=TeamA,OU=Department,OU=Division,DC=Organization,DC=com

  • The following address list is created:

    CN=My List,CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Organization,DC=com

  • The address list has the following value for the PurportedSearch attribute:

    (&(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList) )))(objectCategory=user)(givenName=K*)))

    This value restricts all mail-enabled user objects in the organization whose givenName attribute starts with the letter "K".
As a result:
  • If you set the msExchQueryBaseDN attribute to DC=Organization,DC=com, the OWA user can search for mail-enabled objects in the subtree of DC=Organization,DC=com.
  • If you set the msExchQueryBaseDN attribute to OU=Department,OU=Division,DC=Organization,DC=com, the OWA user can search for mail-enabled objects in the subtree of OU=Department,OU=Division,DC=Organization,DC=com.
  • If you set the msExchQueryBaseDN attribute to the distinguished name of the address list that you created, the OWA user can search for mail-enabled objects. The search occurs in the result set of the PurportedSearch attribute as defined by the address list. For example, you can set the msExchQueryBaseDN attribute for every user to the following:

    CN=My List,CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Organization,DC=com

Modification Type:MajorLast Reviewed:7/12/2006
Keywords:kbfix kbBug kbinfo KB817218
©2004 Microsoft Corporation. All rights reserved.