Hosted users can see other hosted users if they can access the HMC Active Directory by using LDAP tools in Microsoft Solution for Hosted Messaging and Collaboration version 4.0

In Microsoft Solution for Hosted Messaging and Collaboration version 4.0, users of a Hosted Messaging and Collaboration (HMC) system typically do not have direct access to the Active Directory directory service by using LDAP tools such as LDP. When users have access to Active Directory, for example through a virtual private network (VPN) connection, the users can browse Active Directory to see the entries for other hosted users. This breaks the isolated tenant principle of HMC.

This problem occurs if the following conditions are true:

• A reseller organization is created under the hosting organizational unit.
• The List Contents permission is granted to all hosted users.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

To resolve this problem, apply this hotfix. To do this, follow these steps:

1. On the server that is running Microsoft Provisioning Server (MPS), stop the MPS services to make sure that no more requests can be performed on the server. To do this, follow these steps.
   1. Click Start, point to All Programs, click Administrative Tools, and then click Component Services.
   2. Expand Component Services, expand Computers, expand My Computer, expand COM+ Applications, right-click Provisioning Engine, click Disable, and then click Shut down.
2. Start the MPS Deployment Tool.
3. Expand Core Platform, and then expand Cope MPF Install and MPF Core Namespaces.
4. Right-click Managed Active Directory, and then click Uninstall.
5. Click Start Deployment.
6. Open the C:\MSIShare folder.
7. Change the name of the ManagedADNS.msi file to ManagedADNS_Orig.msi.
8. Copy the new ManagedADNS.msi file from the hotfix to the MSIShare folder.
9. In the MPS Deployment Tool, right-click Managed Active Directory, click Install, and then click Start Deployment.
10. In Component Services, right-click Provisioning Engine, and then click Enable and Start to restart the MPS engine.

Prerequisites

Microsoft Solution for Hosted Messaging and Collaboration version 4.0 must be installed before you apply this hotfix.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

You can apply this hotfix to make sure that any new resellers that are created have the correct access permissions applied.

To correct the existing permissions to prevent List Contents access to all users, follow these steps.

For the hosting organization

1. In the Active Directory Users and Computers MMC snap-in, enable Advanced features on the View menu.
2. Locate the hosting organization, and then right-click Properties.
3. Click Security, and then click Advanced.
4. Under Permission Entries, click the entry for AllUsersGroups (<domain>\AllUsersGroups), and then click Edit.
5. Under Permissions, click to clear the List Contents check box in the Allow column.

For each reseller organization that was created before you installed this hotfix

1. In the Active Directory Users and Computers MMC snap-in, enable Advanced features on the View menu.
2. Locate the appropriate reseller organization, and then right-click Properties.
3. Click Security, and then click Advanced.
4. Under Permission Entries, click the entry for AllCustomers@<Reseller>, and then click Edit.
5. Under Permissions, click to clear the List Contents check box in the Allow column.
6. In the Apply onto field, click This object only.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: