Applies to: Exchange Server 2007 SP3, Exchange Server
2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-03-19
Earlier versions of Microsoft Exchange Server did not
rely heavily on property sets for applying permissions in the
domain partition. Although this was not an issue in typical
deployments, this became an issue for distributed environments that
delegated all tasks. Administrators in these environments had to
assign permissions for a multitude of attributes for mail
recipients so that appropriate tasks could be delegated in a
least-privilege access model. Depending on the version of the
Active Directory directory service servers, this
can cause serious access control list (ACL) bloat, increasing
the size of the Ntds.dit file.
Exchange Server 2007 improves administrative
delegation by using property sets for most mail recipient
attributes.
What Are Property Sets?
A property set is a grouping of Active Directory
attributes. You can control access to this grouping of
Active Directory attributes by setting one access control
entry (ACE) instead of setting an ACE on each property. Also, an
attribute can only be a member of a single property set.
For example, the Personal-Information property set
includes properties such as street address and telephone number.
Both of these are properties of user objects.
Property Sets in Exchange Server
2003
In Exchange Server 2003, the Exchange schema
extension process added many Exchange-related mail recipient
attributes to the built-in Active Directory property sets,
Personal Information and Public Information. The Exchange
Enterprise Servers domain local security groups were assigned
access to these property sets on the domain partitions during the
domain preparation phase so that Recipient Update Service (RUS)
could update objects. The following tables list the attributes in
the Personal Information and Public Information property sets.
Public Information property
set
|
allowedAttributes
|
|
allowedAttributesEffective
|
|
allowedChildClasses
|
|
allowedChildClassesEffective
|
|
altRecipient
|
|
altRecipientBL
|
|
altSecurityIdentities
|
|
attributeCertificate
|
|
authOrig
|
|
authOrigBL
|
|
autoReply
|
|
autoReplyMessage
|
|
cn
|
|
co
|
|
company
|
|
deletedItemFlags
|
|
delivContLength
|
|
deliverAndRedirect
|
|
deliveryMechanism
|
|
delivExtContTypes
|
|
department
|
|
description
|
|
directReports
|
|
displayNamePrintable
|
|
distinguishedName
|
|
division
|
|
dLMemberRule
|
|
dLMemDefault
|
|
dLMemRejectPerms
|
|
dLMemRejectPermsBL
|
|
dLMemSubmitPerms
|
|
dLMemSubmitPermsBL
|
|
dnQualifier
|
|
enabledProtocols
|
|
expirationTime
|
|
extensionAttribute1
|
|
extensionAttribute10
|
|
extensionAttribute11
|
|
extensionAttribute12
|
|
extensionAttribute13
|
|
extensionAttribute14
|
|
extensionAttribute15
|
|
extensionAttribute2
|
|
extensionAttribute3
|
|
extensionAttribute4
|
|
extensionAttribute5
|
|
extensionAttribute6
|
|
extensionAttribute7
|
|
extensionAttribute8
|
|
extensionAttribute9
|
|
extensionData
|
|
folderPathname
|
|
|
formData
|
|
forwardingAddress
|
|
givenName
|
|
heuristics
|
|
hideDLMembership
|
|
homeMDB
|
|
homeMTA
|
|
importedFrom
|
|
initials
|
|
internetEncoding
|
|
kMServer
|
|
language
|
|
languageCode
|
|
legacyExchangeDN
|
|
mail
|
|
mailNickname
|
|
manager
|
|
mAPIRecipient
|
|
mDBOverHardQuotaLimit
|
|
mDBOverQuotaLimit
|
|
mDBStorageQuota
|
|
mDBUseDefaults
|
|
msDS-AllowedToDelegateTo
|
|
msDS-Approx-Immed-Subordinates
|
|
msDS-Auxiliary-Classes
|
|
msExchADCGlobalNames
|
|
msExchALObjectVersion
|
|
msExchAssistantName
|
|
msExchConferenceMailboxBL
|
|
msExchControllingZone
|
|
msExchCustomProxyAddresses
|
|
msExchExpansionServerName
|
|
msExchFBURL
|
|
msExchHideFromAddressLists
|
|
msExchHomeServerName
|
|
msExchIMACL
|
|
msExchIMAddress
|
|
msExchIMAPOWAURLPrefixOverride
|
|
msExchIMMetaPhysicalURL
|
|
msExchIMPhysicalURL
|
|
msExchIMVirtualServer
|
|
msExchInconsistentState
|
|
msExchLabeledURI
|
|
msExchMailboxFolderSet
|
|
msExchMailboxGuid
|
|
msExchMailboxSecurityDescriptor
|
|
msExchMailboxUrl
|
|
msExchMasterAccountSid
|
|
msExchOmaAdminExtendedSettings
|
|
msExchOmaAdminWirelessEnable
|
|
msExchOriginatingForest
|
|
msExchPfRootUrl
|
|
|
msExchPFTreeType
|
|
msExchPoliciesExcluded
|
|
msExchPoliciesIncluded
|
|
msExchPolicyEnabled
|
|
msExchPolicyOptionList
|
|
msExchPreviousAccountSid
|
|
msExchProxyCustomProxy
|
|
msExchQueryBaseDN
|
|
msExchRecipLimit
|
|
msExchRequireAuthToSendTo
|
|
msExchResourceGUID
|
|
msExchResourceProperties
|
|
msExchTUIPassword
|
|
msExchTUISpeed
|
|
msExchTUIVolume
|
|
msExchUnmergedAttsPt
|
|
msExchUseOAB
|
|
msExchUserAccountControl
|
|
msExchVoiceMailboxID
|
|
name
|
|
notes
|
|
o
|
|
objectCategory
|
|
objectClass
|
|
objectGUID
|
|
oOFReplyToOriginator
|
|
otherMailbox
|
|
ou
|
|
pOPCharacterSet
|
|
pOPContentFormat
|
|
protocolSettings
|
|
proxyAddresses
|
|
publicDelegatesBL
|
|
replicatedObjectVersion
|
|
replicationSensitivity
|
|
replicationSignature
|
|
reportToOriginator
|
|
reportToOwner
|
|
securityProtocol
|
|
servicePrincipalName
|
|
showInAddressBook
|
|
sn
|
|
submissionContLength
|
|
supportedAlgorithms
|
|
systemFlags
|
|
targetAddress
|
|
telephoneAssistant
|
|
textEncodedORAddress
|
|
title
|
|
unauthOrig
|
|
unauthOrigBL
|
|
unmergedAtts
|
|
userPrincipalName
|
|
Personal Information property
set
|
assistant
|
|
c
|
|
facsimileTelephoneNumber
|
|
homePhone
|
|
homePostalAddress
|
|
info
|
|
internationalISDNNumber
|
|
ipPhone
|
|
l
|
|
mobile
|
|
mSMQDigests
|
|
mSMQSignCertificates
|
|
otherFacsimileTelephoneNumber
|
|
otherHomePhone
|
|
|
otherIpPhone
|
|
otherMobile
|
|
otherPager
|
|
otherTelephone
|
|
pager
|
|
personalTitle
|
|
physicalDeliveryOfficeName
|
|
postalAddress
|
|
postalCode
|
|
postOfficeBox
|
|
preferredDeliveryMethod
|
|
primaryInternationalISDNNumber
|
|
primaryTelexNumber
|
|
publicDelegates
|
|
|
registeredAddress
|
|
st
|
|
street
|
|
streetAddress
|
|
telephoneNumber
|
|
teletexTerminalIdentifier
|
|
telexNumber
|
|
thumbnailPhoto
|
|
userCert
|
|
userCertificate
|
|
userSharedFolder
|
|
userSharedFolderOther
|
|
userSMIMECertificate
|
|
x121Address
|
|
However, when it came to delegation of permissions for
management of mail recipients, many Active Directory
administrators did not assign permissions to
Exchange administrators by using these property sets because
they provided access to many additional non-Exchange related
attributes.
Property Sets in Exchange
2007
Exchange 2007 takes advantage of property sets by
creating two new property sets exclusively for
Exchange Server, instead of by relying on
preexisting Active Directory property sets. Several of
the improvements in Exchange 2007 include the
following:
- There is no longer a reliance on default Active Directory
property sets. The Exchange-specific property sets address the
uncertainty of potential change in future versions of the
Active Directory property sets.
- Attributes created by the Exchange schema extension are the
only members of the Exchange-specific property sets.
- Exchange-specific property sets enable the creation and
deployment of a delegated security permission model that is
specific to management of Exchange mail recipient data.
During the schema extension phase, Exchange 2007
performs several actions. These include the following:
- It extends the schema with new classes and attributes.
- It creates the Exchange Information and Exchange Personal
Information property sets.
- It adds the appropriate attributes to the Exchange Information
and Exchange Personal Information property sets.
Exchange 2003 attributes that had been previously
added to the Personal Information or Public Information property
sets are moved accordingly to the Exchange-specific property
sets.
Because attributes are moved between property sets, you
must update the Exchange 2003 recipient permission structure
when you implement Exchange 2007 in a legacy environment.
You do this either by executing
the setup /PrepareLegacyExchangePermissions command
or the setup /PrepareSchema command. For more
information about what the
setup /PrepareLegacyExchangePermissions command does,
see Preparing
Legacy Exchange Permissions.
The Exchange Information property set includes the
attributes that are listed in the following table. In addition,
Authenticated Users have read access to this property set so that
they can look up specific pieces of information about mail
recipients, for example, by using the Address Book in Microsoft
Office Outlook.
Exchange Information property
set
|
altRecipient
|
|
altRecipientBL
|
|
attributeCertificate
|
|
authOrig
|
|
authOrigBL
|
|
autoReply
|
|
autoReplyMessage
|
|
deletedItemFlags
|
|
delivContLength
|
|
deliverAndRedirect
|
|
deliveryMechanism
|
|
delivExtContTypes
|
|
dLMemberRule
|
|
dLMemDefault
|
|
dLMemRejectPerms
|
|
dLMemRejectPermsBL
|
|
dLMemSubmitPerms
|
|
dLMemSubmitPermsBL
|
|
dnQualifier
|
|
enabledProtocols
|
|
expirationTime
|
|
extensionAttribute1
|
|
extensionAttribute10
|
|
extensionAttribute11
|
|
extensionAttribute12
|
|
extensionAttribute13
|
|
extensionAttribute14
|
|
extensionAttribute15
|
|
extensionAttribute2
|
|
extensionAttribute3
|
|
extensionAttribute4
|
|
extensionAttribute5
|
|
extensionAttribute6
|
|
extensionAttribute7
|
|
extensionAttribute8
|
|
extensionAttribute9
|
|
extensionData
|
|
folderPathname
|
|
formData
|
|
forwardingAddress
|
|
heuristics
|
|
hideDLMembership
|
|
homeMDB
|
|
homeMTA
|
|
importedFrom
|
|
internetEncoding
|
|
kMServer
|
|
language
|
|
languageCode
|
|
mailNickname
|
|
mAPIRecipient
|
|
mDBOverHardQuotaLimit
|
|
mDBOverQuotaLimit
|
|
|
mDBStorageQuota
|
|
mDBUseDefaults
|
|
msExchADCGlobalNames
|
|
msExchALObjectVersion
|
|
msExchAssistantName
|
|
msExchConferenceMailboxBL
|
|
msExchControllingZone
|
|
msExchCustomProxyAddresses
|
|
msExchELCExpirySuspensionEnd
|
|
msExchELCExpirySuspensionStart
|
|
msExchELCMailboxFlags
|
|
msExchExpansionServerName
|
|
msExchExternalOOFOptions
|
|
msExchFBURL
|
|
msExchHideFromAddressLists
|
|
msExchHomeServerName
|
|
msExchIMACL
|
|
msExchIMAddress
|
|
msExchIMAPOWAURLPrefixOverride
|
|
msExchIMMetaPhysicalURL
|
|
msExchIMPhysicalURL
|
|
msExchIMVirtualServer
|
|
msExchInconsistentState
|
|
msExchLabeledURI
|
|
msExchMailboxFolderSet
|
|
msExchMailboxGuid
|
|
msExchMailboxOABVirtualDirectoriesLink
|
|
msExchMailboxSecurityDescriptor
|
|
msExchMailboxTemplateLink
|
|
msExchMailboxUrl
|
|
msExchMasterAccountHistory
|
|
msExchMasterAccountSid
|
|
msExchMaxBlockedSenders
|
|
msExchMaxSafeSenders
|
|
msExchMDBRulesQuota
|
|
msExchMessageHygieneSCLJunkThreshold
|
|
msExchMobileAllowedDeviceIDs
|
|
msExchMobileDebugLogging
|
|
msExchMobileMailboxFlags
|
|
msExchMobileMailboxPolicyLink
|
|
msExchOmaAdminExtendedSettings
|
|
msExchOmaAdminWirelessEnable
|
|
msExchOriginatingForest
|
|
msExchPfRootUrl
|
|
msExchPFTreeType
|
|
msExchPoliciesExcluded
|
|
msExchPoliciesIncluded
|
|
msExchPolicyEnabled
|
|
msExchPolicyOptionList
|
|
msExchPreviousAccountSid
|
|
msExchProxyCustomProxy
|
|
msExchPurportedSearchUI
|
|
|
msExchQueryBaseDN
|
|
msExchQueryFilterMetadata
|
|
msExchRecipientDisplayType
|
|
msExchRecipientTypeDetails
|
|
msExchRecipLimit
|
|
msExchRequireAuthToSendTo
|
|
msExchResourceCapacity
|
|
msExchResourceDisplay
|
|
msExchResourceGUID
|
|
msExchResourceMetaData
|
|
msExchResourceProperties
|
|
msExchResourceSearchProperties
|
|
msExchServerAdminDelegationBL
|
|
msExchTUIPassword
|
|
msExchTUISpeed
|
|
msExchTUIVolume
|
|
msExchUMAudioCodec
|
|
msExchUMDtmfMap
|
|
msExchUMEnabledFlags
|
|
msExchUMFaxId
|
|
msExchUMListInDirectorySearch
|
|
msExchUMMaxGreetingDuration
|
|
msExchUMOperatorNumber
|
|
msExchUMPinPolicyAccountLockoutFailures
|
|
msExchUMPinPolicyDisallowCommonPatterns
|
|
msExchUMPinPolicyExpiryDays
|
|
msExchUMPinPolicyMinPasswordLength
|
|
msExchUMRecipientDialPlanLink
|
|
msExchUMServerWritableFlags
|
|
msExchUMSpokenName
|
|
msExchUMTemplateLink
|
|
msExchUnmergedAttsPt
|
|
msExchUseOAB
|
|
msExchUserAccountControl
|
|
msExchUserCulture
|
|
msExchVersion
|
|
msExchVoiceMailboxID
|
|
oOFReplyToOriginator
|
|
pOPCharacterSet
|
|
pOPContentFormat
|
|
protocolSettings
|
|
publicDelegatesBL
|
|
replicatedObjectVersion
|
|
replicationSensitivity
|
|
replicationSignature
|
|
reportToOriginator
|
|
reportToOwner
|
|
securityProtocol
|
|
submissionContLength
|
|
supportedAlgorithms
|
|
targetAddress
|
|
telephoneAssistant
|
|
unauthOrig
|
|
unauthOrigBL
|
|
unmergedAtts
|
|
The Exchange Personal Information property set includes
the attributes that are listed in the following table. To make sure
that ordinary users cannot retrieve the data that is stored in
these attributes, the attributes are put into a separate
property set where Authenticated Users are not assigned read
access.
Exchange Personal Information
property set
|
msExchMessageHygieneFlags
|
|
msExchMessageHygieneSCLDeleteThreshold
|
|
msExchMessageHygieneSCLQuarantineThreshold
|
|
msExchMessageHygieneSCLRejectThreshold
|
|
msExchSafeRecipientsHash
|
|
msExchSafeSendersHash
|
|
msExchUMPinChecksum
|
|
For More Information
For more information, see the following topics:
