09-11-2008 11:43 PM
I am looking to perform a GAL segregation based on MS best practices and an arcticle on msexchangeorg.
The environment is two domains with in the one forest. We want to achieve the following
User in Domain A can only see users in Domain A and no users in Domain B
User in Domain B can only see users in Domain B and no users in Domain A
The problem is i can't find any articles that reference how blackberry will cope with this and if it will break lookups and activations...
The BES 4.1.6 server is in Domain A. Only users in Domain A will have BES Accounts and need to look up Domain A users. The trouble is i need to know if hiding and removing permissions on the default GAL will break the blackberry lookups/activations. We are running Exchange 2007 and will be removing the default permissions on the default GAL and creating two new address lists with custom permissions based on the users domain.
Also which account does the lookups/activations is it the bes admin account ???
Thanks in advance, if any more information is required please let me now.
Solved! Go to Solution.
09-12-2008 04:42 PM
BES uses 1 GAL and one GAL only. The largest GAL that the account accessing the GAL is a member of that it has permissions to access.
If you split GALs your BES will use 1 and only 1.
So I guess the best thing would be to do is to leave the BESAdmin account with access to the default GAL (or some other GAL that contains all users). You can then the registry key for hosted BES implementations so that when users perform lookups the lookup will run in the context of their user account so they'll only see people in their GAL.
Still, I don't get why you're doing this.
09-15-2008 12:50 AM
Many thanks for the reply.
From all the documents i have looked at i would be removing access to the default GAL for all users so that there is no chance that a user in Domain A could see a user in Domain B and visa versa.
We only need the BES to lookup one GAL anyways so thats not a problem and it will be the larger of the two. Its more about how do i specify the BES server and BES handhelds to look at this new GAL.
09-15-2008 08:57 AM
There is no reason to remove all access from the default GAL. Sure remove access to everyone / etc, but then explicitly grant access to the BESAdmin account.
You don't specify it ... AD specifies it for you based on the account performing the lookup.
09-28-2008 10:13 PM
Thanks Andy appreciate your help with this.
So what did you end up doing?