Before you can start to follow the Exchange 2007 Address List Segregation white paper (http://technet.microsoft.com/en-us/exchange/bb936719.aspx) or revert from Address List Segregation you must prepare your organization. Here is a small check list of things that need to be looked at before you start:
1. Have you followed any other KB articles or white papers to set up self hosting?
If the answer is yes to this you will need to undo everything you did so you can put your Exchange organization back to a normal state. If you do not do this and you try to follow the Exchange 2007 Address List Segregation white paper you will find that you will have mixed results and this will most likely result in a support call.
2. Have you changed any of the default permissions on the address list or global address lists?
If the answer is yes you will also need to revert these back to the installation defaults and there is no way around it.
The way you can go about doing this is to use a tool called DSACLS. Dsacls.exe tool (Dsacls.exe) can be used to manage access control lists (ACLs) for directory services in Microsoft Windows Server 2003 and Microsoft Windows 2000 Server.
Dsacls.exe is included with the Windows Support Tools. To install the Support Tools, run Setup.exe from the Support\Tools folder on the Windows Server 2003 or Windows 2000 Server CD-ROM.
Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services.
WARNING: Changing the permissions from the default installed settings can cause your Exchange Organization to become un-useable.
If you have broken permissions or have added a Deny and you can no longer see an object you will need grant your admin account rights using DSACLS.
Example: DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com" /N /G domain\administrator:RP
By using the /N switch you are replacing the current access on the object instead of editing it.By using the /G switch you are granting specified group (or user) specified permissions.
From here you will be able to view this object in ADSIEdit with your administrator account. This will allow you to check inheritance back and or add any other groups. It is recommended that you run the following to replace all of the permissions from the schema setting the object back to the default settings:
DSACLS "CN=All Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com" /S /N
This will need to be done for the following containers in order to reset the permissions:
You might additionally need to reset the permissions for these containers as well
Once you have reset the following containers all objects should have the following permissions:
CN=Address Lists Container and CN=Offline Address Lists Container Authenticated Users: Special Permissions: List Contents
CN=Default Global Address List PermissionsAuthenticated Users: Read and Open Address List
All Global Address List permissions should be as followed:
Authenticate Users Allow Aces - "Read", "Open Address List", "List Contents" Exchange Servers Allow Aces - "Read", "Open Address List" SYSTEM Allow Aces - "Read", 'Write", "Create All Child Objects", "Delete All Child Objects", "Open Address List"
If you are using Exchange 2007 you can use the Exchange 2007 Scripting Console.
1. First you need to set the container by typing the following: $container = "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com"
2. You need to add the access rights for the Authenticated Users by running the following command: Add-ADPermission $container -User "Authenticated Users" -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book
Once you run this command you will see the following output listed below:
Identity User Deny Rights\Default Global A... Domain\Authenticated Users False Open-Address-Book\Default Global A... Domain\Authenticated False ReadProperty\Default Global A... Domain\Authenticated False ListObject, GenericExecute\Default Global A... Domain\Authenticated False ListChildren
Once this has been done you then should be read to follow the white paper to begin segregating your company.
An easy way to remove (some) entries from the autocompletion list in OWA 2007 Exchange Server Public
Just want to point you to a few blog articles I have read recently just in case your search doesn't reveal