First, exclude the users from the Exchange GAL by setting the msExchHideFromAddressLists user attribute to true. This will hide them at the Exchange level within the company. No one will stumble upon them in their address book.
Second, isolate the users from Lync address book so that they can only discover themselves. This is accomplished with another user attribute: msRTCSIP-GroupingID.
This attribute is a 16-character GUID which, if present, only returns contacts that also have the same GUID value present on their account.
In other words, if John has this attribute set to 1111111111111111, then he can only search for and discover other users (by name) that also have the same value for this attribute. It should be noted that, just like federation, if John were to enter the full SIP URI of a user, he would find them. So while it can’t be considered complete isolation, it provides enough isolation to satisfy our needs. That is, not exposing internal users to this external group.
Smarter Together 