In my third follow up post to my earlier post “Top 5 Tools an Exchange Administrator should not be without!” I will show you how to use ADSIEdit to modify the Default Global Address List’s (GAL) LDAP search filter.

If you have ever tried creating or modifying a GAL in Exchange System Manager you would have noticed that each entry in the condition list is applied with an AND operator, if you needed to create a GAL with conditions applied with an ‘OR’ or ‘NOT’ operator this would not be possible, but if you use ADSIEdit to edit the purportedSearch attribute of GAL object and replace the existing filter with a custom LDAP search filter it is possible!

In some Exchange deployments it may be necessary to modify the default GAL or configure additional GALs for departments or organizations you provide email services for, to do this you may need to use a ‘NOT’ ! or ‘OR’ | operators, to broaden the range of Address Lists you can create, for instance it might be a requirement that users belonging to organizations you host Exchange services for are not located in the Default GAL, and are instead located in a GAL specifically created for this organization.

Before we begin I want to warn you about the dangers of modifying the LDAP search filter for the Default GAL. When you configure Outlook to connect to a mailbox, Outlook checks for the existence of the mailbox via a GAL (Normally the Default GAL), if you modify the LDAP search filter on the Default GAL and do not create an alternate GAL with an LDAP search filter that contains the excluded users from the Default GAL, Outlook will not be able to be configured for this user. I strongly encourage everyone to fully develop and test all GAL LDAP search filters in a TestLab before deploying into a production environment.

Now to start with if you intend on running ADSIEdit from Windows XP you will need to extract adsiedit.dll from the support tools cab file located in the Support folder on the Windows XP Pro CD. Once extracted open a command prompt, CD into the directory where you extracted the .dll to and then run the following command:

regsvr32 adsiedit.dll

This will register the adsiedit.dll file making ADSIEdit available to add as a snap-in from the Microsoft Management Console (MMC) window.

Now open the MMC as follows:
Start | Run | MMC Press Enter
From the MMC go to file and select “Add/Remove Snap-in” Click add then add the ADSI Edit snap-in.

Right Click and select “Connect to” on the item “ADSI Edit” from the MMC window.
The window shown in figure 1 will be displayed. Under the section Connection Point, you need to check the “Select a well known Naming Context” radio button and from the drop down box select the “Configuration” Naming Context. Then Click OK

Figure 1 “The Connection settings window”

Now that you are connected to the Configuration NC you should now navigate down to the location where your Default GAL resides. See figure 2.


Figure 2 “The ADSIEdit main window”

If for some reason you cannot see the graphic the full path is:

Configuration
  CN=Configuration,DC=……..
    CN=Services
      CN=Microsoft Exchange
         CN=YourExchangeOrgNam
            CN=Address Lists Container
              CN=All Global Address Lists
                 CN=Default Global Address List

Now right click Properties on the Object CN=Default Global Address List. You will see the window as shown in Figure 3 below.


Figure 3 “Properties of the Default GAL”

Navigate to and double click on the attribute purportedSearch. The string that is displayed in the string attribute editor is the LDAP Search filter for the Default GAL. This is what you will need to change to modify the Default GAL so that it excludes a sub-set of users.

The out of the box LDAP search filter for the Default GAL is as follows:

(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList) ))

The logical operators that you can use to create your LDAP query are:

Operator     Description
  =                   Equals to
  &                   AND
  !                     NOT
  |                     OR

Below is an example of a modified LDAP search filter for the Default GAL that excludes any AD objects from the Default GAL that have the Custom Attribute, extensionAttribute1 populated with the string “CompanyName”

(&(mailnickname=*)(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList))(!(extensionAttribute1=CompanyName)))

The custom attribute extensionAttribute1 is found on most object types within ADUC, for the above query to work you will need to ensure this attribute is populated for all objects (email and mail enabled accounts, contacts, groups, public folders) that you do not want displayed in the Default GAL, the populated attribute is shown in Figure 4 below. To find this attribute on a user account go into the Exchange Advanced tab then click Custom Attributes.

If you wanted to bulk apply this attribute to multiple objects in Active Directory, I recomend using ADModify to perform this task, to apply to new users just create a template account in ADUC and copy from it whenever you create a new account. See here for my previous post on using ADModify


Figure 4 “The ADUC Custom Attributes Window”

To develop your own LDAP search filter I recommend you use the Custom Search feature found within ADUC to see how your search filter applies and the objects that are found. See figure 5 below for the Custom Search feature of ADUC. You can find this feature when you go into find within ADUC.


Figure 5 “The Custom Search feature in ADUC”

Create a GAL for objects excluded from the Default GAL

Now that you have excluded a subset of objects from your Default GAL you need to create a new GAL that contains these excluded objects, so that when setting up clients for Microsoft Outlook their mailboxes can be found, I actually recommend creating this GAL before modifying the LDAP search filter of the Default GAL because of these issues.

Below is the LDAP search filter I created; once this LDAP search filter is copied into the purportedSearch attribute of the new GAL only objects which have the customAttribute, extensionAttribute1 populated with the string CompanyName will be included in this GAL.

(& (mailnickname=*)((objectCategory=*)(extensionAttribute1=CompanyName))(| (&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))

To create this GAL go into Exchange System Manager (ESM) navigate to Recipients | All Global Address Lists

Right click and select Global Address List, give the GAL a name then click finish

Now open up ADSIEdit again connecting to the Configuration NC and navigate to the newly created GAL, when you are there right click properties. In the Attributes List scroll down to the purportedSearch attribute and click the edit button, now paste the new LDAP query you created into the value field.