Follow us on Twitter
Follow us on YouTube
Would you like to suggest a topic for the Exchange team to blog about? Send suggestions to us.
NOTE: This article has also been published in the official Exchange 2007 documentation - http://technet.microsoft.com/en-us/library/bb310768.aspx. We recommend that you check the documentation for the most up-to-date version.
Overview
Previous versions of Exchange did not rely on the usage of property sets to a great extent for applying permissions in the domain partition. While this was not an issue in typical deployments, this became an issue for distributed environments that delegated all tasks. Administrators in these environments had to assign permissions for a multitude of attributes for mail recipients, so that appropriate tasks could be delegated using a least privilege access model. Depending on the version of the Active Directory servers, this could have lead to a serious bloat in the Access Control Lists, thus increasing the size of the NTDS.DIT file.
Exchange 2007 improves the delegation story by utilizing property sets for the vast majority of mail recipient attributes.
Property Sets
For those that are not familiar with property sets, a property set is a grouping of attributes that enables controlling access to a subset of an object's properties by setting one single Access Control Entry (ACE), rather than setting an ACE per individual property. Also, an attribute can only be a member of a single property set.
For example, the Personal-Information property set includes properties such as street address and telephone number, both of which are properties of user objects.
Property Set Usage in Exchange Server 2003
In Exchange Server 2003, the Exchange schema extension process added many Exchange related mail recipient attributes into the built-in Active Directory property sets, Personal Information and Public Information. The Exchange Enterprise Servers domain local security groups were assigned access to these property sets on the domain partitions during the domain preparation phase so that Recipient Update Service (RUS) could stamp objects.
Public Information property set
allowedAttributes
formData
allowedAttributesEffective
forwardingAddress
allowedChildClasses
givenName
allowedChildClassesEffective
heuristics
altRecipient
hideDLMembership
altRecipientBL
homeMDB
altSecurityIdentities
homeMTA
attributeCertificate
importedFrom
authOrig
Initials
authOrigBL
msExchIMAddress
autoReply
msExchIMAPOWAURLPrefixOverride
autoReplyMessage
msExchIMMetaPhysicalURL
cn
msExchIMPhysicalURL
co
msExchIMVirtualServer
company
msExchInconsistentState
deletedItemFlags
msExchLabeledURI
delivContLength
msExchMailboxFolderSet
deliverAndRedirect
msExchMailboxGuid
deliveryMechanism
msExchMailboxSecurityDescriptor
delivExtContTypes
msExchMailboxUrl
department
msExchMasterAccountSid
description
msExchOmaAdminExtendedSettings
directReports
msExchOmaAdminWirelessEnable
displayNamePrintable
msExchOriginatingForest
distinguishedName
msExchPfRootUrl
division
msExchPFTreeType
dLMemberRule
msExchPoliciesExcluded
dLMemDefault
msExchPoliciesIncluded
dLMemRejectPerms
msExchPolicyEnabled
dLMemRejectPermsBL
msExchPolicyOptionList
dLMemSubmitPerms
msExchPreviousAccountSid
dLMemSubmitPermsBL
msExchProxyCustomProxy
dnQualifier
msExchQueryBaseDN
enabledProtocols
msExchRecipLimit
expirationTime
msExchRequireAuthToSendTo
extensionAttribute1
msExchResourceGUID
extensionAttribute10
msExchResourceProperties
extensionAttribute11
msExchTUIPassword
extensionAttribute12
msExchTUISpeed
extensionAttribute13
msExchTUIVolume
extensionAttribute14
msExchUnmergedAttsPt
extensionAttribute15
msExchUseOAB
extensionAttribute2
msExchUserAccountControl
extensionAttribute3
msExchVoiceMailboxID
extensionAttribute4
name
extensionAttribute5
notes
extensionAttribute6
o
extensionAttribute7
objectCategory
extensionAttribute8
objectClass
extensionAttribute9
objectGUID
extensionData
oOFReplyToOriginator
folderPathname
otherMailbox
internetEncoding
ou
kMServer
pOPCharacterSet
language
pOPContentFormat
languageCode
protocolSettings
legacyExchangeDN
proxyAddresses
mail
publicDelegatesBL
mailNickname
replicatedObjectVersion
manager
replicationSensitivity
mAPIRecipient
replicationSignature
mDBOverHardQuotaLimit
reportToOriginator
mDBOverQuotaLimit
reportToOwner
mDBStorageQuota
securityProtocol
mDBUseDefaults
servicePrincipalName
msDS-AllowedToDelegateTo
showInAddressBook
msDS-Approx-Immed-Subordinates
sn
msDS-Auxiliary-Classes
submissionContLength
msExchADCGlobalNames
supportedAlgorithms
msExchALObjectVersion
systemFlags
msExchAssistantName
targetAddress
msExchConferenceMailboxBL
telephoneAssistant
msExchControllingZone
textEncodedORAddress
msExchCustomProxyAddresses
title
msExchExpansionServerName
unauthOrig
msExchFBURL
unauthOrigBL
msExchHideFromAddressLists
unmergedAtts
msExchHomeServerName
userPrincipalName
msExchIMACL
Personal Information property set
assistant
physicalDeliveryOfficeName
c
postalAddress
facsimileTelephoneNumber
postalCode
homePhone
postOfficeBox
homePostalAddress
preferredDeliveryMethod
info
primaryInternationalISDNNumber
internationalISDNNumber
primaryTelexNumber
ipPhone
publicDelegates
l
registeredAddress
mobile
st
mSMQDigests
street
mSMQSignCertificates
streetAddress
otherFacsimileTelephoneNumber
telephoneNumber
otherHomePhone
teletexTerminalIdentifier
otherIpPhone
telexNumber
otherMobile
thumbnailPhoto
otherPager
userCert
otherTelephone
userCertificate
pager
userSharedFolder
personalTitle
userSharedFolderOther
X121Address
However, when it came to delegation of permissions for management of mail recipients, many Active Directory administrators did not assign permissions to Exchange administrators using these property sets since they provided access to many additional non-Exchange related attributes.
Property Set Usage in Exchange Server 2007
Exchange 2007 takes advantage of property sets by creating two new property sets exclusively for Exchange, rather than relying on pre-existing Active Directory property sets. This addresses several issues that existed with previous versions of Exchange:
During the schema extension phase, Exchange 2007 performs several actions:
Exchange 2003 attributes that had been previously added to the Personal Information or Public Information property sets will be moved accordingly to the Exchange specific property sets.
As a result of moving attributes between property sets, the Exchange 2003 recipient permission structure requires updating when implementing Exchange 2007 in a legacy environment. This is accomplished either via executing /PrepareLegacyExchangePermissions or /PrepareSchema. For more information on what /PrepareLegacyExchangePermissions actually does, please see http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/4c32f70c-d42b-4bf4-995e-65b68a947194.mspx.
The Exchange Information property set includes the attributes listed in the following table. In addition, Authenticated Users have read access to this property set. This allows authenticated users to look up certain pieces of information about mail recipients (e.g. via the Address Book).
Exchange Information property set
The Exchange Personal Information property set includes the attributes listed in the following table. These attributes are sensitive in nature, so to ensure that normal users cannot look retrieve the data stored within these attributes, they are placed into a separate property set where Authenticated Users are not assigned read access.
Exchange Personal Information property set
msExchMessageHygieneFlags
msExchMessageHygieneSCLDeleteThreshold
msExchMessageHygieneSCLQuarantineThreshold
msExchMessageHygieneSCLRejectThreshold
msExchSafeRecipientsHash
msExchSafeSendersHash
msExchUMPinChecksum
- Ross Smith IV