Restricting permission to Address Book views in Exchange Server

Anyone with Microsoft Exchange Server Administrator permissions within an organization has the ability to create an Address Book view that can cause adverse affects within an entire organization. The Address Book view can be created from any Exchange Server computer or site within an organization. These Address Book views may cause each server's Exchange Server directory service to consume 100 percent of the CPU resources as the Address Book views are replicated to each server in the organization. This may cause the Exchange Server directory services to be inaccessible or a global address list to be unavailable.

Each Exchange Server computer builds the Address Book view based on Grouped by Attributes (GBA) that are replicated between sites and servers. If the Address Book views are poorly designed or are frequently changed, the server may use a large number of CPU cycles on the directory to regenerate these views. Any person with permissions for the site naming context has permissions to alter the Address Book view.

To resolve this problem, obtain the latest service pack for Exchange Server 5.5. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Microsoft has confirmed that this is a problem in Microsoft Exchange Server version 5.5. This problem was first corrected in Exchange Server 5.5 Service Pack 4.

When you apply this fix, a new heuristics bit is defined on the Address Book View container. Setting the heuristic bit to 1 blocks the inheritance of the permissions from the site container. After the change, which is replicated throughout the organization, only the permissions set explicitly on the Address Book View container are effective.

Warning The change in the permission model should not be implemented without proper planning and only after assigning permission Administrators explicitly on the Address Book View in every site.

To correctly handle the explicit permission on the Address Book Views, we stongly recommend that you use Admin Fix described in the following Microsoft Knowledge Base article: The fix that is described in this article ensures the following:

• The graphical user interface reflects the effective permissions
• With the Admin Fix it is not possible to remove the "Modify Permission" right from the last and only administrator and thus losing the ability to administer permissions of the Address Book Views within the site.
• A warning is received when removing the permission Admin role from the account which is currently logged on.
• A warning is received when removing the last account and thus removing the security from the object allowing anybody to modify it.

To enable the new heuristics bit:

WARNING: If you use the raw mode of the Exchange Server Administrator program (admin /r) incorrectly, serious problems may occur that may require you to reinstall Microsoft Windows NT Server, Microsoft Exchange Server, or both. Microsoft cannot guarantee that problems that result from using raw mode incorrectly can be solved. Use raw mode at your own risk.

1. Start the Microsoft Exchange Server Administrator program in raw mode by typing the following at a command prompt:
   drive:\exchsrvr\bin\admin /r
   Note In this step, drive is a placeholder for the drive where the Microsoft Exchange Server Administrator program is installed.
2. Click the Address Book container, and then click Raw Properties on the File menu.
3. In the List Attributes of Type list, click All.
4. Click Heuristics in the list of attributes.
5. In the Edit box, type 1, click Set, and then click OK.

Important Although the heuristics flag replicates between sites, you must add a Microsoft Windows NT account to the Permissions tab of the Address Book view properties for the Address Book view for each site because the Windows NT account does not replicate between sites.

For more information about the issue described in this article, click the following article numbers to view the articles in the Microsoft Knowledge Base: