In this article, you will learn how to control object visibility…. Sound familiar? Yes, but with a twist. My previous article focused on limiting visibility of Exchange objects within Exchange System Manager only. This time objects visibility is influenced for the sake of data entry, i.e. limiting your choices in AD Users and Computers, or any other AD integrated administration tool.

How is this possible? When a user is mail or mailbox enabled, ADUC (AD Users and Computers) presents a number of options, such as the default mail store or Administration Group. However, what if users mailboxes should not be put into certain stores, such as VIP mailbox stores, or the mailbox store choice doesn’t suit the geography. Example – A Dallas user can be mailbox enabled using only the Mailbox Store on the Dallas Exchange server by the local administrator, whilst Los Angeles and New York aren’t listed as options. In larger organizations choices may be restricted by region, department or even politically, so that the VIP Storage Groups are invisible to normal users. In this article we’re going to look at limiting those choices by hiding mailbox stores from view.

To demonstrate this I have created two extra databases as shown. Note the VIP Mailbox Store.

Further to this I have assigned an extra ACE (access control entry) against the helpdesk on the VIP Mailbox Store as follows:

Helpdesk DENY Read

Here’s how to do this. Right click on the mailbox store you wish to hide, click on Properties, Security, Advanced, Click Add, find and add the users or groups desired. Then chose to Deny Read.Clicking OK closes the view and displays the new ACE we just added.

Lets look at the effect in AD Users and Computers. The first view is the view as seen by a user with no restrictions:

When logging in as the Helpdesk User and view the list of available Mailbox Stores I see the Mailbox Store list MINUS the VIP store as desired.

Opening Exchange System Manager as the Helpdesk user reveals the added benefit of hiding the VIP store object in this utility as well. Mailbox Store’s are not the only object type that may be hidden from view in either AD Users&Computers nor Exchange System Manager. Administrative Groups, Routing Groups, etc may all be hidden from view to provide a simplified administrative view or a limited view while manipulating possible values on a users exchange attributes.

Summary

Editing the ALC (Access Control List) on the Mailbox Store object can also be done using ADSIEDIT or a 3’ rd party utility or script. I prefer using third party tools for their obvious benefits. Testing, documenting and providing rollback play an important part in modifying permissions in Active Directory. As mentioned previously, editing at this level without thoroughly understanding the effects can be dangerous. I suggest proving functionality in a lab first, documenting it and using a trusted guaranteed method such as a script or utility to roll it out.

As originally published on outlookexchange.org

Discuss this in