=======================================================================
Part 3
=======================================================================
1.
![clip_image002 clip_image002](https://i0.wp.com/lh6.ggpht.com/--5b82lrcY4o/UBCuDD0l8nI/AAAAAAAAP6Y/Og4_g3fd1Sw/clip_image002_thumb%25255B1%25255D.jpg)
2.
3. Get the value of OAB Container
OAB Server: BQT-MBX01
[PS] Get-OfflineAddressBook –Server BQT-MBX01 | fl
DistinguishedName : CN=BQT-MBX01 OAB,CN=Offline Address Lists,CN=Address Lists Container,CN=MSFT,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,DC=com
4. Set $TenantOAB
[PS] C:\>$TenantOAB="CN=BQT-MBX01 OAB,CN=Offline Address Lists,CN=Address Lists Container,CN=MSFT,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=corp,DC=com"
5. Add-ADPermission
![clip_image006 clip_image006](https://i0.wp.com/lh4.ggpht.com/-FRI7nIK5tY0/UBCuFBJXFfI/AAAAAAAAP64/IY_e-l8v6WQ/clip_image006_thumb%25255B1%25255D.jpg)
-User “Domain Users” (Security Group)
[PS] C:\>Add-ADPermission $TenantOAB -User "MSFT\Domain Users" -ExtendedRights "MS-EXCH-DOWNLOAD-OAB"|
Identity User Deny Inherited
——– —- —- ———
\BQT-MBX01 OAB MSFT\Domain Users False False
6. Check the Permission
[PS] C:\>Get-ADPermission $TenantOAB -User "MSFT\Domain Users" | fl
User : MSFT\Domain Users
Identity : \BQT-MBX01 OAB
Deny : False
AccessRights : {ExtendedRight}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
or
[PS] C:\>Get-ADPermission $TenantOAB -User "MSFT\Domain Users" | where {$_.ExtendedRights -match ‘MS-EXCH-DOWNLOAD-OAB’} | fl
User : MSFT\Domain Users
Identity : \BQT-MBX02 OAB
Deny : False
AccessRights : {ExtendedRight}
IsInherited : False
Properties :
ChildObjectTypes :
InheritedObjectType :
InheritanceType : All
8. Before Restart FDS
![image image](https://i0.wp.com/lh5.ggpht.com/-2QNg0nXiezs/UBCuHWL_DyI/AAAAAAAAP7Y/-EA_Ct3F1wU/image_thumb%25255B3%25255D.png)
9. Restart FDS
10. Reset to Default
![image image](https://i0.wp.com/lh3.ggpht.com/-4Z0XK6pOaTo/UBCuJafxmRI/AAAAAAAAP74/_V-qKzEF5Bg/image_thumb%25255B7%25255D.png)
11. Outlook Download OAB
![image image](https://i0.wp.com/lh6.ggpht.com/-Hf51J5zfvdY/UBCuKknPvlI/AAAAAAAAP8I/5yzJlpbA_Gg/image_thumb%25255B9%25255D.png)
========================================================================
Part 2
========================================================================
1. 問題定義的出處
Multi-Tenancy and Hosting Guidance Exchange Server 2010 SP2
![clip_image007 clip_image007](https://i0.wp.com/lh6.ggpht.com/-yKWmbiCeiAw/UBCuLhlrTYI/AAAAAAAAP8Y/pzSMYeOOjiw/clip_image007_thumb.jpg)
2. 問題說明: 起因為Exchange SP2 為加強OAB 安全性,而將Authenticated User 權限移除 (詳如appendix)
Problem or Issue Description
|
Securing Offline Address Book web distribution folders.
|
Recommended Approach
|
It is recommended you follow the process outlined in the appendix of this document to remove the Authenticated Users Read ACE from each OAB folder (including that for the Default OAB to prevent accidental download), and add an ACE for a security group including all users in the tenant who will be using each folder.
The steps documented in this process are planned to be added to Exchange in the future, to allow easy securing of the folders without the need to change Active Directory permissions. Until that time, the steps outlined in the appendix of this document are the only supported way to accomplish this task.
It is recommended you perform the detailed steps during initial creation of a tenant on the system using a scripted and tested process.
|
Unsupported Solutions
|
It is unsupported to make other ACL changes to the OAB container, objects, folders or sub-folders
|
Additional Comments
|
IIS enforces authentication to the content of the OAB virtual directory, and with the recommended ACL changes it should not be possible for any user to see any OAB other than that intended for their own tenant.
|
3. 而微軟的解決方案為下,要改用另外的權限方式調整讓用戶端下載OAB
4. Appendix
Prior to the release of an update to Exchange that will enable this functionality natively, the following steps need to be completed to secure access to the OAB virtual directory folders on the Client Access server.
Each of the following examples assumes the domain being used by the hoster is called fabrikam.com – you need to change the examples shown below to refer to your own deployment.
Removing the MS-Exch-Download-OAB extended right from the root OAB container
The following two commands should be run once per Exchange installation to remove the MS-Exch-Download-OAB extended right from the root OAB container. This prevents all subsequently created OABs from inheriting this extended right.
To first verify the permission exists, first run the following command
$BaseOABContainer=’CN=Offline Address Lists,CN=Address Lists Container,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Fabrikam,DC=com’
Then run the following command to examine the existing permissions.
Get-ADPermission $BaseOABContainer -User "NT Authority\Authenticated Users" | where {$_.extendedrights -match ‘ms-exch-download-oab’} | fl The results returned should look similar to this;
User : NT AUTHORITY\Authenticated Users Identity : \ Deny : False AccessRights : {ExtendedRight} IsInherited : False Properties : ChildObjectTypes : InheritedObjectType : InheritanceType : All
Then run the following command to remove the extended right;
Get-ADPermission $BaseOABContainer -User "NT Authority\Authenticated Users" | where {$_.extendedrights -match ‘ms-exch-download-oab’} | Remove-ADPermission
To validate this command has executed correctly, the following command should now return zero results;
Get-ADPermission $BaseOABContainer -User "NT Authority\Authenticated Users" | where {$_.extendedrights -match ‘ms-exch-download-oab’} | fl
|
========================================================================
Part 1 ========================================================================
Our new E14 enviroment has the same situation here issue 1 .
I’ve build two CAS servers with WNLB. New build in SP2 and updated to RU3.
When restart FDS or server everytime, it will reset the permission of the oab folder as below.
And this happened on both CAS servers.
![clip_image013 clip_image013](https://i0.wp.com/lh3.ggpht.com/-dvw8BUgy6zg/UBCuOzET47I/AAAAAAAAP9I/cdN_ZmG2WB0/clip_image013_thumb%25255B2%25255D.gif)
I already checked and modified the oab folder permission by refer below. But it will be reset to default when reboot cas server everytime.
![clip_image015 clip_image015](https://i0.wp.com/lh4.ggpht.com/-dfbWoN1RGq4/UBCuQby2AgI/AAAAAAAAP9Y/65rF_VAgOBk/clip_image015_thumb%25255B1%25255D.jpg)