Tag Archives: GAL

Unable to hide a mailbox from the GAL? Reset RBAC roles.

ever get the feeling you’re being ignored? my customer did. They were unable to hide users from the GAL. We had a look to see what happened when they ran the PowerShell cmdlet:

Set-mailbox -identity -hiddenfromaddresslistsEnabled $true

Everything completed with no errors, but… the user is still there. let’s try that again, using the –v switch… this is on a test mailbox, in my lab.

[PS] C:\Windows\system32>Set-Mailbox caroline1 -hiddenfromaddresslistsenabled $true –v

VERBOSE: [07:16:52.353 GMT] Set-Mailbox : [Microsoft Cmdlet Extension Agent] Read Address List for organization “” from
domain controller Exch2k10loner.exch2k10.local.

VERBOSE: [07:16:52.650 GMT] Set-Mailbox : [Microsoft Cmdlet Extension Agent] Found Address List “\barry”.

VERBOSE: [07:16:52.665 GMT] Set-Mailbox : [Microsoft Cmdlet Extension Agent] Remove Address List “\barry” to
AddressListMemberShip of the recipient.

VERBOSE: [07:16:53.991 GMT] Set-Mailbox : The properties changed on the object ‘caroline test’ (CN=caroline
test,CN=Users,DC=exch2k10,DC=local) are: “{ AddressListMembership[showInAddressBook]={ ‘\All Mailboxes(VLV)’, ‘\All
Recipients(VLV)’ }, HiddenFromAddressListsValue[msExchHideFromAddressLists]=$True,
ReadOnlyAddressListMembership[showInAddressBook]={ ‘\All Mailboxes(VLV)’, ‘\All Recipients(VLV)’ },
HiddenFromAddressListsEnabled[msExchHideFromAddressLists, msExchRecipientTypeDetails]=$True }”.
VERBOSE: [07:16:54.007 GMT] Set-Mailbox : Saving object “exch2k10.local/Users/caroline test” of type “ADUser” and state
“Changed”.

I’ve cut a lot out of there, but the lines we are interested in are highlighted. The address lists the user belongs to are found, and then removed from the AddressListMemberShip attribute of the recipient in AD.

When we look at the verbose output from the live system, we see that although the address lists are found, they are never removed from the AddressListMemberShip attribute:

[PS] C:\Windows\system32>Set-mailbox -identity brianbloke@customer.co.uk -hiddenfromaddresslistsEnabled $true –v

VERBOSE: [10:23:44.220 GMT] Set-Mailbox : [Microsoft Cmdlet Extension Agent] Read Address List for organization “” from
domain controller customerLDC01.customer.co.uk.

VERBOSE: [10:23:44.236 GMT] Set-Mailbox : [Microsoft Cmdlet Extension Agent] Found Address List “\All Rooms”.

VERBOSE: [10:23:44.408 GMT] Set-Mailbox : The properties changed on the object ‘Brian bloke’ (CN=Brian
bloke,OU=some town,OU=someUsers,DC=customer,DC=co,DC=uk) are: “{
ExchangeUserAccountControl[msExchUserAccountControl]=’AccountDisabled’, AddressListMembership[showInAddressBook]={  },
PoliciesIncluded[msExchPoliciesIncluded]={  }, ReadOnlyAddressListMembership[showInAddressBook]={  },
ReadOnlyPoliciesIncluded[msExchPoliciesIncluded]={  } }”.

the last output shows that the cmdlet isn’t even trying to remove stuff.  this is pretty strange, but i recalled Bhargav’s RBAC sessions from the MCM course – specifically, how to reset everything… let’s make sure that the accounts have the correct role assignments and can do the things they should.

    1. Launch the Exchange Management Shell (EMS)
    2. Run “Add-PsSnapin Microsoft*” to load the snap-ins that you need to install RBAC
    3. Run the “Install-CannedRBACRoles” cmdlet to install the out-of-the-box RBAC roles that you’d expect to be defined for Exchange 2010 SP1.
    4. Run the “Install-CannedRBACRoleAssignments” cmdlet to install the out-of-the-box role assignments (that obviously depend on the roles that you’ve just installed).
    5. Close EMS
    6. Restart EMS to create a new session. During session initialization, Exchange will reload the roles and role assignments that are available to the user, so you should be able to retry the failed operation to see whether the reinstallation of the RBAC roles and role assignments has fixed the problem.
    so, my customer ran through that, restarted the EMS and hey presto! accounts are disappearing from the GAL all over the place. Cheers Bhargav!

My users don’t care what department their colleagues are in.

Or – how to hide columns from the GAL view in the outlook 2010 address book.

Just had an interesting call regarding the GAL in Exchange 2010 and Outlook 2010. I have a customer who doesn’t want users to know what department their colleagues are in. I don’t ask why. People baffle me sometimes. Can we do this? Yes we can. Have a look at this article in the knowledgebase. Yes, I know it’s for outlook 2007, but this sort of thing is so esoteric no-one can be bothered updating it for Outlook 2010. Will it work for outlook 2010? Yes it will.

First, open regedit and browse to HKCU\Software\Microsoft\Office\14.0\Outlook\Preferences, and create the ABHiddenColumns binary value key.


I’m not going through it, it’s exactly the same as in the KB article.

Right click the ABHiddenColumns key, select modify and type in the chosen value, as per the table in the KB article. So far, so much regurgitated content. The bit that is missing from the article is the value you need to remove the “Department” column. This can be found in the big book of MAPI stuff, volume eleventeen, “[MS-OXOAB]: Offline Address Book (OAB) Format and Schema Protocol Specification

02

Trouble is, that value is bigendian, and it needs to be little-endian. Or possibly the other way around. Whatever, you need to reverse the order of the octets and lose the leading 0x. so 0x3A18001F becomes 1F00183A. Add it to the 0#000000 that the article talks about (where # is the number of values you want to hide; in this case “1”) and you get 010000001F00183A. Just type that string in; no need to format it or add spaces or anything else, regedit takes care of all the magic.

03

Click “OK”, restart outlook and hey presto! this:

04

Becomes this:

05

“Department” is gone. This works in cached mode and online mode. So… what have I told you that’s new? not a lot. It works for outlook 2010, and there’s a way to get rid of a column that they strangely miss in the article. How do you apply it to 30,000 users? Group policy, my friend. How do you get rid of it in OWA? Custom html page, would be my guess. I’ve not done it, but that’s where I’d start.