Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. How to restrict OWA address searches to multiple organizational units

How to restrict OWA address searches to multiple organizational units

View products that this article applies to.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

↑ Back to the top

Summary

This article contains information about how to restrict Microsoft Outlook Web Access (OWA) address searches to more than one organizational unit. It discusses how you can limit the scope of searches that OWA performs to multiple organizational units or to specific address lists.

↑ Back to the top

More information

In Outlook Web Access, you can view all address lists in Active Directory, regardless of the permissions that are set on the address list. To restrict access so that OWA users can only view the address lists that are contained in their own organizational unit, you can configure the msExchQueryBaseDN attribute for the OWA user by following the steps in the following Microsoft Knowledge Base article:
272197� How to restrict OWA address view searches
The procedure that is discussed in article 272197� restricts OWA address searches to a single organizational unit.

If organizational units use a nested structure, you can also limit the scope of searches that OWA performs to more than one organizational unit or to specific address lists. You can construct an address list as a query and use it to search a single organizational unit or multiple organizational units for addresses that meet a certain criteria.

For example, consider a scenario where all the following conditions are true:
  • An Active Directory domain has the following organizational unit structure:
    DC=Organization,DC=com
    OU=Division,DC=Organization,DC=com
    OU=Department,OU=Division,DC=Organization,DC=com
    OU=TeamA,OU=Department,OU=Division,DC=Organization,DC=com
  • The following address list is created:
    CN=My List,CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Organization,DC=com
  • The address list has the following value for the PurportedSearch attribute:
    (&(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=group)(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList) )))(objectCategory=user)(givenName=K*)))
    This value restricts all mail-enabled user objects in the organization whose givenName attribute starts with the letter "K".
As a result:
  • If you set the msExchQueryBaseDN attribute to DC=Organization,DC=com, the OWA user can search for mail-enabled objects in the subtree of DC=Organization,DC=com.
  • If you set the msExchQueryBaseDN attribute to OU=Department,OU=Division,DC=Organization,DC=com, the OWA user can search for mail-enabled objects in the subtree of OU=Department,OU=Division,DC=Organization,DC=com.
  • If you set the msExchQueryBaseDN attribute to the distinguished name of the address list that you created, the OWA user can search for mail-enabled objects. The search occurs in the result set of the PurportedSearch attribute as defined by the address list. For example, you can set the msExchQueryBaseDN attribute for every user to the following:
    CN=My List,CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Organization,DC=com

↑ Back to the top

Keywords: KB817218, kbinfo, kbbug, kbfix

↑ Back to the top

Article Info
Article ID : 817218
Revision : 4
Created on : 2/28/2007
Published on : 2/28/2007
Exists online : False
Views : 312