Deploying Address Book Policies

This blog will cover deploying Address Book Policies (hereafter ABP) in Exchange 2013. This post will cover both from an Admin point-of-view, and a User point-of-view. In my home lab and to help illustrate how the ABP works we’ll take two of world’s favourite cartoon families “The Simpsons” and “the Griffins”.

  

The Basics

Each ABP must contain at least one on the following:

• Address List (AL)
• Offline Address Book (OAB)
• Global Address List (GAL)
• Room Address List (RAL)

Plan, Plan, Plan…

Its important that you plan your deployment of ABP, as there are a number of different elements that can cause the ABP not to function how you envision.

Address Book Policy Routing agent… (Optional)

The ABP routing agent allows complete separation of users based on there ABP; From TechNet: - https://technet.microsoft.com/en-us/library/jj657455(v=exchg.150).aspx

If you’re using ABPs, and you don’t want users in separate virtual organizations to view each other’s potentially private information, you can turn on the Address Book Policy Routing agent. The Address Book Policy Routing agent is a Transport agent that runs on the Mailbox server that controls how recipients are resolved in the organization. When the Address Book Policy Routing Agent is installed and configured, users that are assigned different GALs appear as external recipients in that they can’t view external recipients’ contact cards.

What this means to the a user, is displayed in the following screenshots:
Without the routing agent configured

Using an Outlook client you can see the “Display Name” has resolved when the SMTP has entered, and when you right click and select “Open Outlook Properties” it will display the information from Active Directory. In OWA the experience is a little different

You can see the SMTP name has resolved to be the “Display Name”  but no additional details are shown in the contact.

With the routing agent configured

Using an Outlook client you can see the “Display Name” has not resolved when the SMTP has been entered, and when you right click and select “Open Outlook Properties” it will display the SMTP details. in OWA the experience is a little different

You can see the SMTP name has not resolved, however the User image still appears.

NOTE: The OWA experience may just be in my lab environment, I couldn’t get this to change, and will do further troubleshooting and update accordingly.

How to install the ABP Routing agent

Run the following commands to install the ABP Routing agent:

1. Open Exchange Management Shell (EMS) as Administrator
2. Run the following command to install the agent
   
   Install-TransportAgent -Name "ABP Routing Agent" -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.AddressBookPolicyRoutingAgent.AddressBookPolicyRoutingAgentFactory" -AssemblyPath $env:ExchangeInstallPath\TransportRoles\agents\AddressBookPolicyRoutingAgent\Microsoft.Exchange.Transport.Agent.AddressBookPolicyRoutingAgent.dll
   
   
3. Run the following command to enable the transport agent
   
   Enable-TransportAgent "ABP Routing Agent"
   
   
4. The transport service needs to be restarted
   
   Restart-Service MSExchangeTransport
   
   
5. Run the following command to enable the ABP Routing agent
   
   Set-TransportConfig -AddressBookPolicyRoutingEnabled $true

Divide your Organisation

This is where you separate for Exchange objects into groups, this maybe separate companies, departments, or regions. From TechNet:- https://technet.microsoft.com/en-us/library/jj657455(v=exchg.150).aspx

You'll need to develop a way to divide your organizations. We recommend using the CustomAttribute1-15 property on the mailboxes, contacts, and groups instead of the pre-canned conditional attributes such as Company, Department, or StateOrProvince to divide the virtual organizations for the following reasons: Not all recipient types of objects have precanned conditional attributes in Active Directory. For example, Distribution Group and Dynamic Distribution Group do not support company, department, or state attributes.

• Not all precanned conditional attributes are exposed in cmdlets for some recipients. For example, the Company, department, and StateOrProvince parameters are not available on the exposed in cmdlets for mail users, contacts, distribution groups, and mail-enabled public folders.
• Multiple cmdlets are required to segregate recipient when you use the pre-canned conditional attribute. For example, you need to run Set-User to tag Company, Department, StateOrProvince for a UserMailbox after you run New-Mailbox or Set-Mailbox cmdlets.
• The CustomAttributeX parameters are all exposed in the Set-* cmdlet for each recipient type, we can complete all segregation for that type via single Set- cmdlet
• CustomAttributeX attributes are explicitly reserved for customization of an organization and are entirely under the control of the organization administrators.

Note: From experience and working on a number of different environments I find that “CustomAttribute 1-15” are normally the best fit, however it’s worth noting that these attributes are also commonly used in Email Address Policies, so it’s worth checking if these attributes are not being used for another purpose.

Create Address Lists, Global Address Lists, and Offline Address Lists

At the start of the post I said that each ABP requires at least one AL, GAL, OAB, and RAL. Here I find that a good naming convention helps with any design, however I’ll also highlight a couple areas that I find them to be an issue and how to address them.
For this demonstration I’m keeping it fairly simple and just separating the two groups of users “The Simpsons” and “Family Guy”, for this reason I’ve used the “Company” fields in the following PowerShell, as explained earlier this may not be the best fit. Some of the following processes can be created in the Exchange Admin Console (EAC) I’ll indicate where you can’t use the EAC.

Address Lists

I’ve formatted the name of the address list “AL_The Company_Object”, obviously the middle section may change based on separation, this gives me:

• AL_The Simpsons_All User
• AL_Family Guy_All Users
• AL_The Simpsons_All Rooms
• AL_Family Guy_All Rooms

To create the these AL’s run the following commands into EMS:

New-AddressList -Name 'AL_The Simpsons_All Users' -ConditionalCompany @('The Simpsons') -IncludedRecipients 'MailboxUsers'
New-AddressList -Name 'AL_Family Guy_All Users' -ConditionalCompany @('Family Guy') -IncludedRecipients 'MailboxUsers'

You will also need a RAL, these are just AL’s with a RecipientType filter applied to the list (This type of filter cannot be applied in the EAC), To create the these AL’s run the following commands into EMS:

New-AddressList -Name 'AL_The Simpsons_All Rooms' -RecipientFilter {(RecipientDisplayType -eq 'ConferenceRoomMailbox') -and (Company -eq 'The Simpsons')}
New-AddressList -Name 'AL_Family Guy_All Rooms' -RecipientFilter {(RecipientDisplayType -eq 'ConferenceRoomMailbox') -and (Company -eq 'Family Guy')}

If you don’t use “Room Mailboxes” in your organisation you can use the default Room AL or create a blank AL that will not be populated with any objects:

New-AddressList -Name AL_BlankRoom -RecipientFilter {(Alias -ne $null) -and (RecipientDisplayType -eq 'ConferenceRoomMailbox')}

This creates the necessary AL’s and RAL’s for each ABP; but I would just highlight a functionality point here, this is not a Exchange Admin point, but from the User’s point of view and how I address this. By running the previous commands you get the following the EAC:

However the user will see the name used during creation of the AL

This can easily be updated, but this is where the EAC is not always great, the EAC will display the “DisplayName” and not the “Name”, so when you update the lists to be “All Users” etc you get this:

However EMS gives you this:

This also however does mean you get happy users ;-)

Global Address Lists

I’ve formatted these similar to the AL’s; “GAL_The Company”, obviously you may need to extend based on separation, this gives me:

• GAL_The Simpsons
• GAL_Family Guy

NOTE: New GAL’s cannot be created in the EAC, these need to be created in the EMS:

New-GlobalAddressList -Name "GAL_The Simpsons" -IncludedRecipients MailboxUsers -ConditionalCompany "The Simpsons"
New-GlobalAddressList -Name "GAL_Family Guy" -IncludedRecipients MailboxUsers -ConditionalCompany "Family Guy"

 

Offline Address Books

The last part before creating the ABP, is to create an OAB; I’ve formatted these the same as the GAL’s; “OAB_The Company”, obviously you may need to extend based on separation, this gives me:

• GAL_The Simpsons
• GAL_Family Guy

NOTE: New OAB’s cannot be created in the EAC, these need to be created in the EMS:

New-OfflineAddressBook -Name "OAB_The Simpsons" -AddressLists '\AL_The Simpsons_All Users'
New-OfflineAddressBook -Name "OAB_Family Guy" -AddressLists '\AL_Family Guy_All Users'

 

Address Book Policies

The final part is to put all the above together to create an ABP; ABP’s cannot be created in the EAC, these need to be created in the EMS:

New-AddressBookPolicy -Name "The Simpsons" -GlobalAddressList "\GAL_The Simpsons" -AddressLists '\AL_The Simpsons_All Users' -OfflineAddressBook '\OAB_The Simpsons' -RoomList '\AL_The Simpsons_All Rooms'
New-AddressBookPolicy -Name "Family Guy" -GlobalAddressList "\GAL_Family Guy" -AddressLists '\AL_Family Guy_All Users' -OfflineAddressBook '\OAB_Family Guy' -RoomList '\AL_Family Guy_All Rooms'

 

Assign the ABPs to the Mailboxes

This is where I eat my words about “Plan, Plan, Plan…” throughout this blog I’ve filtered the list based on “Company” however to then apply a ABP to a mailbox with the filter of “Company” you can’t use the Get-Mailbox Cmdlet. You can use another common filter i.e.:

Get-Mailbox -resultsize unlimited | where {$_.CustomAttribute15 -eq "Family Guy"} | Set-Mailbox -AddressBookPolicy "Family Guy"

You can of course use the EAC and filter by the company, which will use the Get-Recipent filter, and then apply the ABP to your mailboxes.

I hope this helps someone in the future and saves them some time.

Reference Links:

Address book policies:- https://technet.microsoft.com/en-us/library/hh529948(v=exchg.150).aspx
Scenario: Deploying address book policies:- https://technet.microsoft.com/en-us/library/jj657455(v=exchg.150).aspx
Address book policy procedures:- https://technet.microsoft.com/en-us/library/hh529916(v=exchg.150).aspx 

Disclaimer: All scripts and other PowerShell references on this blog are offered "as is" with no warranty.  While these scripts are tested and working in my test environment, it is recommended that you test these scripts in your own test environment before using in any production environment.