cancel
Showing results for 
Search instead for 
Did you mean: 

Exchange 2010 SP2 - Address Book Policies and Enterprise Vault

KarlW
Level 6
Employee

Microsoft has recently announced the release of Exchange 2010 SP2, SP2 brings with it a handful of new features including Address Book Policies.  Address Book Policies replace the need to use one of the varying methods of GAL segmentation.  This allows the Exchange administrator to easily apply policies to a user; controlling the address lists a user can see (known as an Address Book Policy or ABP).

With an Address Book Policy configured against the user they can only browse address book entries that have been granted via the policy.  For example, where a distribution list includes addresses outside of the address book policy these details will be omitted from view.

Exchange 2010 SP2 Release details:

http://blogs.technet.com/b/exchange/archive/2011/12/05/released-exchange-server-2010-sp2.aspx

Exchange 2010 SP2 Understanding Address Book Policies:

http://technet.microsoft.com/en-us/library/hh529948.aspx

Why am I telling you this?

Answer the following questions:

  1. You use Enterprise Vault Journaling
  2. You use Exchange 2010
  3. Your Journal policy has Expand distribution lists set to On
  4. You haven't completed the additional configuration steps as per http://www.symantec.com/docs/TECH154813.

If you tick all the boxes for the above then you need to ensure the Vault Service Account (or the account the journal task is running under) is not governed by an Address Book Policy.

You can do this by running the following command from Exchange Management Shell.

get-mailbox -Identity example\ev-arch | ft Name, AddressBookPolicy 

 

This shows my mailbox has an address book policy applied.  To remove the policy run the following command:

set-mailbox -Identity example\ev-arch -AddressBookPolicy $null 

 

Re-running the get-mailbox command we can see the policy has now been removed from the mailbox:

get-mailbox -Identity example\ev-arch | ft Name, AddressBookPolicy 

 

 

Does it matter if the account is governed by an Address Book Policy?

If you do have an Address Book Policy applied to the account then when the task expands a distribution list it may not contain all the recipients that received the email.

To ensure the issue does not happen you have two options:

  1. Apply the configuration details as per TECH154813.
  2. Remove any Address Book Policy setting from the account running the journal task (see the example above).

If choosing option 2 ensure you have at least read the Tech Note 154813 and are happy that the impact of hidden users or distribution lists will not impact your environment.

Example scenario:

Here I'm going to work through a sample scenario, creating address lists and address book policies and demonstrating how this can impact the EV service account.  To do this I have created a simple Exchange organization 'Example.com' and within this there are two smaller 'organizations', the Corporate users (@example.com) and the non-profit organization (@example.org).  The two organizations have their own Global Address List which only allows users to see other users within the same organization.

Following Microsoft's example (http://technet.microsoft.com/en-us/library/hh529948.aspx) I created address lists,  a global address list, an offline address book and address book policy for each organization.

The following shows the commands used to create these lists and policies for the Non-Profit organization:

 New-addresslist -Name 'AL_Non-profit_Users_DGs' -RecipientFilter {((RecipientType -eq 'UserMailbox') -or (RecipientType -eq 'MailUniversalDistributionGroup') -or (RecipientType -eq 'DynamicDistributionGroup')) -and (CustomAttribute1 -eq 'Example.org')}


New-addresslist -Name 'AL_Non-profit_Rooms' -RecipientFilter {(Alias -ne $null) -and(CustomAttribute1 -eq 'Example.org') -and (RecipientDisplayType -eq 'ConferenceRoomMailbox') -or (RecipientDisplayType -eq 'SyncedConferenceRoomMailbox')}


New-GlobalAddressList -Name 'GAL_Non-Profit' -RecipientFilter {(CustomAttribute1 -eq 'Example.org')}


New-OfflineAddressBook -Name 'OAB_Non-Profit' -AddressLists 'GAL_Non-Profit'


New-AddressBookPolicy -Name 'ABP_Non-Profit' -AddressLists 'AL_Non-Profit_Users_DGs' -OfflineAddressBook '\OAB_Non-Profit' -GlobalAddressList 'GAL_Non-Profit' -RoomList '\AL_Non-Profit_Rooms' 

 

I then applied the Address Book Policy to the users:

 

Get-mailbox | where {$_.CustomAttribute1 -eq 'Example.org'} | set-mailbox -AddressBookPolicy 'ABP_Non-Profit' 

 

I repeated the same again for the Corporate users.  So I now have two sets of distinct users in Exchange/AD that through the address book cannot see each other.  As you can see I've used CustomAttribute1 to distinguish users and distribution groups between the two organizations.

During configuration and creation the administrator has set CustomAttribute1 on my Enterprise Vault account (I like to break out VSA from the Exchange task account) to 'Example.org' and as such has been applied the Address Book Policy 'ABP_Non-Profit'.

 

 

If we use OWA to view the address book we can see that this account has been limited to view users with 'Example.org' addresses only.  If we also look at the contents of the 'All Users' distribution group we can see only the inclusion of the 'All Users - Non-Profit' distribution group.

 

 

Consider the Enterprise Vault journaling task requesting the distribution group information - what do you think it would see?  That's correct it would see the same view as above.  Looks good, what could be missing?

Now if we remove the address book policy from the account and open the address book again we see users from both organizations.  More importantly if we open the 'All Users' distribution group we can see that it contains more than just the 'All Users - Non-Profit' distribution group.  Therefore previously the journaling task would not have recorded all the information from the distribution group.

 

 

Job done :)