NOTE: This article has also been published in the official Exchange 2007 documentation - http://technet.microsoft.com/en-us/library/bb310768.aspx.  We recommend that you check the documentation for the most up-to-date version.

Overview

Previous versions of Exchange did not rely on the usage of property sets to a great extent for applying permissions in the domain partition. While this was not an issue in typical deployments, this became an issue for distributed environments that delegated all tasks. Administrators in these environments had to assign permissions for a multitude of attributes for mail recipients, so that appropriate tasks could be delegated using a least privilege access model. Depending on the version of the Active Directory servers, this could have lead to a serious bloat in the Access Control Lists, thus increasing the size of the NTDS.DIT file.

Exchange 2007 improves the delegation story by utilizing property sets for the vast majority of mail recipient attributes.

Property Sets

For those that are not familiar with property sets, a property set is a grouping of attributes that enables controlling access to a subset of an object's properties by setting one single Access Control Entry (ACE), rather than setting an ACE per individual property. Also, an attribute can only be a member of a single property set.

For example, the Personal-Information property set includes properties such as street address and telephone number, both of which are properties of user objects.

Property Set Usage in Exchange Server 2003

In Exchange Server 2003, the Exchange schema extension process added many Exchange related mail recipient attributes into the built-in Active Directory property sets, Personal Information and Public Information. The Exchange Enterprise Servers domain local security groups were assigned access to these property sets on the domain partitions during the domain preparation phase so that Recipient Update Service (RUS) could stamp objects.

Public Information property set

allowedAttributes

 

formData

allowedAttributesEffective

forwardingAddress

allowedChildClasses

givenName

allowedChildClassesEffective

heuristics

altRecipient

hideDLMembership

altRecipientBL

homeMDB

altSecurityIdentities

homeMTA

attributeCertificate

importedFrom

authOrig

Initials

authOrigBL

msExchIMAddress

autoReply

msExchIMAPOWAURLPrefixOverride

autoReplyMessage

msExchIMMetaPhysicalURL

cn

msExchIMPhysicalURL

co

msExchIMVirtualServer

company

msExchInconsistentState

deletedItemFlags

msExchLabeledURI

delivContLength

msExchMailboxFolderSet

deliverAndRedirect

msExchMailboxGuid

deliveryMechanism

msExchMailboxSecurityDescriptor

delivExtContTypes

msExchMailboxUrl

department

msExchMasterAccountSid

description

msExchOmaAdminExtendedSettings

directReports

msExchOmaAdminWirelessEnable

displayNamePrintable

msExchOriginatingForest

distinguishedName

msExchPfRootUrl

division

msExchPFTreeType

dLMemberRule

msExchPoliciesExcluded

dLMemDefault

msExchPoliciesIncluded

dLMemRejectPerms

msExchPolicyEnabled

dLMemRejectPermsBL

msExchPolicyOptionList

dLMemSubmitPerms

msExchPreviousAccountSid

dLMemSubmitPermsBL

msExchProxyCustomProxy

dnQualifier

msExchQueryBaseDN

enabledProtocols

msExchRecipLimit

expirationTime

msExchRequireAuthToSendTo

extensionAttribute1

msExchResourceGUID

extensionAttribute10

msExchResourceProperties

extensionAttribute11

msExchTUIPassword

extensionAttribute12

msExchTUISpeed

extensionAttribute13

msExchTUIVolume

extensionAttribute14

msExchUnmergedAttsPt

extensionAttribute15

msExchUseOAB

extensionAttribute2

msExchUserAccountControl

extensionAttribute3

msExchVoiceMailboxID

extensionAttribute4

name

extensionAttribute5

notes

extensionAttribute6

o

extensionAttribute7

objectCategory

extensionAttribute8

objectClass

extensionAttribute9

objectGUID

extensionData

oOFReplyToOriginator

folderPathname

otherMailbox

internetEncoding

ou

kMServer

pOPCharacterSet

language

pOPContentFormat

languageCode

protocolSettings

legacyExchangeDN

proxyAddresses

mail

publicDelegatesBL

mailNickname

replicatedObjectVersion

manager

replicationSensitivity

mAPIRecipient

replicationSignature

mDBOverHardQuotaLimit

reportToOriginator

mDBOverQuotaLimit

reportToOwner

mDBStorageQuota

securityProtocol

mDBUseDefaults

servicePrincipalName

msDS-AllowedToDelegateTo

showInAddressBook

msDS-Approx-Immed-Subordinates

sn

msDS-Auxiliary-Classes

submissionContLength

msExchADCGlobalNames

supportedAlgorithms

msExchALObjectVersion

systemFlags

msExchAssistantName

targetAddress

msExchConferenceMailboxBL

telephoneAssistant

msExchControllingZone

textEncodedORAddress

msExchCustomProxyAddresses

title

msExchExpansionServerName

unauthOrig

msExchFBURL

unauthOrigBL

msExchHideFromAddressLists

unmergedAtts

msExchHomeServerName

userPrincipalName

msExchIMACL

 

Personal Information property set

assistant

physicalDeliveryOfficeName

c

postalAddress

facsimileTelephoneNumber

postalCode

homePhone

postOfficeBox

homePostalAddress

preferredDeliveryMethod

info

primaryInternationalISDNNumber

internationalISDNNumber

primaryTelexNumber

ipPhone

publicDelegates

l

registeredAddress

mobile

st

mSMQDigests

street

mSMQSignCertificates

streetAddress

otherFacsimileTelephoneNumber

telephoneNumber

otherHomePhone

teletexTerminalIdentifier

otherIpPhone

telexNumber

otherMobile

thumbnailPhoto

otherPager

userCert

otherTelephone

userCertificate

pager

userSharedFolder

personalTitle

userSharedFolderOther

 

X121Address

However, when it came to delegation of permissions for management of mail recipients, many Active Directory administrators did not assign permissions to Exchange administrators using these property sets since they provided access to many additional non-Exchange related attributes.

Property Set Usage in Exchange Server 2007

Exchange 2007 takes advantage of property sets by creating two new property sets exclusively for Exchange, rather than relying on pre-existing Active Directory property sets. This addresses several issues that existed with previous versions of Exchange:

  • There is no longer a reliance on default Active Directory property sets, which addresses the uncertainty of those property sets as they could change in future release cycles of Windows Server Active Directory.
  • Ensures that only attributes created by the Exchange schema extension are members of the Exchange specific property sets.
  • Allows for the creation and deployment of a delegated security permission model with regards to management of Exchange mail recipient data.

During the schema extension phase, Exchange 2007 performs several actions:

  • Extends the schema with new classes and attributes.
  • Creates the property sets, Exchange Information and Exchange Personal Information.
  • Adds the appropriate attributes to the Exchange Information and Exchange Personal Information property sets.

Exchange 2003 attributes that had been previously added to the Personal Information or Public Information property sets will be moved accordingly to the Exchange specific property sets.

As a result of moving attributes between property sets, the Exchange 2003 recipient permission structure requires updating when implementing Exchange 2007 in a legacy environment. This is accomplished either via executing /PrepareLegacyExchangePermissions or /PrepareSchema. For more information on what /PrepareLegacyExchangePermissions actually does, please see http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/4c32f70c-d42b-4bf4-995e-65b68a947194.mspx.

The Exchange Information property set includes the attributes listed in the following table. In addition, Authenticated Users have read access to this property set. This allows authenticated users to look up certain pieces of information about mail recipients (e.g. via the Address Book).

Exchange Information property set

altRecipient

altRecipientBL

attributeCertificate

authOrig

authOrigBL

autoReply

autoReplyMessage

deletedItemFlags

delivContLength

deliverAndRedirect

deliveryMechanism

delivExtContTypes

dLMemberRule

dLMemDefault

dLMemRejectPerms

dLMemRejectPermsBL

dLMemSubmitPerms

dLMemSubmitPermsBL

dnQualifier

enabledProtocols

expirationTime

extensionAttribute1

extensionAttribute10

extensionAttribute11

extensionAttribute12

extensionAttribute13

extensionAttribute14

extensionAttribute15

extensionAttribute2

extensionAttribute3

extensionAttribute4

extensionAttribute5

extensionAttribute6

extensionAttribute7

extensionAttribute8

extensionAttribute9

extensionData

folderPathname

formData

forwardingAddress

heuristics

hideDLMembership

homeMDB

homeMTA

importedFrom

internetEncoding

kMServer

language

languageCode

mailNickname

mAPIRecipient

mDBOverHardQuotaLimit

mDBOverQuotaLimit

altRecipient

altRecipientBL

attributeCertificate

authOrig

authOrigBL

autoReply

autoReplyMessage

deletedItemFlags

delivContLength

deliverAndRedirect

deliveryMechanism

delivExtContTypes

dLMemberRule

dLMemDefault

dLMemRejectPerms

dLMemRejectPermsBL

dLMemSubmitPerms

dLMemSubmitPermsBL

dnQualifier

enabledProtocols

expirationTime

extensionAttribute1

extensionAttribute10

extensionAttribute11

extensionAttribute12

extensionAttribute13

extensionAttribute14

extensionAttribute15

extensionAttribute2

extensionAttribute3

extensionAttribute4

extensionAttribute5

extensionAttribute6

extensionAttribute7

extensionAttribute8

extensionAttribute9

extensionData

folderPathname

formData

forwardingAddress

heuristics

hideDLMembership

homeMDB

homeMTA

importedFrom

internetEncoding

kMServer

language

languageCode

mailNickname

mAPIRecipient

mDBOverHardQuotaLimit

mDBOverQuotaLimit

altRecipient

altRecipientBL

attributeCertificate

authOrig

authOrigBL

autoReply

autoReplyMessage

deletedItemFlags

delivContLength

deliverAndRedirect

deliveryMechanism

delivExtContTypes

dLMemberRule

dLMemDefault

dLMemRejectPerms

dLMemRejectPermsBL

dLMemSubmitPerms

dLMemSubmitPermsBL

dnQualifier

enabledProtocols

expirationTime

extensionAttribute1

extensionAttribute10

extensionAttribute11

extensionAttribute12

extensionAttribute13

extensionAttribute14

extensionAttribute15

extensionAttribute2

extensionAttribute3

extensionAttribute4

extensionAttribute5

extensionAttribute6

extensionAttribute7

extensionAttribute8

extensionAttribute9

extensionData

folderPathname

formData

forwardingAddress

heuristics

hideDLMembership

homeMDB

homeMTA

importedFrom

internetEncoding

kMServer

language

languageCode

mailNickname

mAPIRecipient

mDBOverHardQuotaLimit

mDBOverQuotaLimit

The Exchange Personal Information property set includes the attributes listed in the following table. These attributes are sensitive in nature, so to ensure that normal users cannot look retrieve the data stored within these attributes, they are placed into a separate property set where Authenticated Users are not assigned read access.

Exchange Personal Information property set

msExchMessageHygieneFlags

msExchMessageHygieneSCLDeleteThreshold

msExchMessageHygieneSCLQuarantineThreshold

msExchMessageHygieneSCLRejectThreshold

msExchSafeRecipientsHash

msExchSafeSendersHash

msExchUMPinChecksum

- Ross Smith IV