Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007
Topic Last Modified: 2007-03-19

Earlier versions of Microsoft Exchange Server did not rely heavily on property sets for applying permissions in the domain partition. Although this was not an issue in typical deployments, this became an issue for distributed environments that delegated all tasks. Administrators in these environments had to assign permissions for a multitude of attributes for mail recipients so that appropriate tasks could be delegated in a least-privilege access model. Depending on the version of the Active Directory directory service servers, this can cause serious access control list (ACL) bloat, increasing the size of the Ntds.dit file.

Exchange Server 2007 improves administrative delegation by using property sets for most mail recipient attributes.

What Are Property Sets?

A property set is a grouping of Active Directory attributes. You can control access to this grouping of Active Directory attributes by setting one access control entry (ACE) instead of setting an ACE on each property. Also, an attribute can only be a member of a single property set.

For example, the Personal-Information property set includes properties such as street address and telephone number. Both of these are properties of user objects.

Property Sets in Exchange Server 2003

In Exchange Server 2003, the Exchange schema extension process added many Exchange-related mail recipient attributes to the built-in Active Directory property sets, Personal Information and Public Information. The Exchange Enterprise Servers domain local security groups were assigned access to these property sets on the domain partitions during the domain preparation phase so that Recipient Update Service (RUS) could update objects. The following tables list the attributes in the Personal Information and Public Information property sets.

Public Information property set

allowedAttributes

allowedAttributesEffective

allowedChildClasses

allowedChildClassesEffective

altRecipient

altRecipientBL

altSecurityIdentities

attributeCertificate

authOrig

authOrigBL

autoReply

autoReplyMessage

cn

co

company

deletedItemFlags

delivContLength

deliverAndRedirect

deliveryMechanism

delivExtContTypes

department

description

directReports

displayNamePrintable

distinguishedName

division

dLMemberRule

dLMemDefault

dLMemRejectPerms

dLMemRejectPermsBL

dLMemSubmitPerms

dLMemSubmitPermsBL

dnQualifier

enabledProtocols

expirationTime

extensionAttribute1

extensionAttribute10

extensionAttribute11

extensionAttribute12

extensionAttribute13

extensionAttribute14

extensionAttribute15

extensionAttribute2

extensionAttribute3

extensionAttribute4

extensionAttribute5

extensionAttribute6

extensionAttribute7

extensionAttribute8

extensionAttribute9

extensionData

folderPathname

formData

forwardingAddress

givenName

heuristics

hideDLMembership

homeMDB

homeMTA

importedFrom

initials

internetEncoding

kMServer

language

languageCode

legacyExchangeDN

mail

mailNickname

manager

mAPIRecipient

mDBOverHardQuotaLimit

mDBOverQuotaLimit

mDBStorageQuota

mDBUseDefaults

msDS-AllowedToDelegateTo

msDS-Approx-Immed-Subordinates

msDS-Auxiliary-Classes

msExchADCGlobalNames

msExchALObjectVersion

msExchAssistantName

msExchConferenceMailboxBL

msExchControllingZone

msExchCustomProxyAddresses

msExchExpansionServerName

msExchFBURL

msExchHideFromAddressLists

msExchHomeServerName

msExchIMACL

msExchIMAddress

msExchIMAPOWAURLPrefixOverride

msExchIMMetaPhysicalURL

msExchIMPhysicalURL

msExchIMVirtualServer

msExchInconsistentState

msExchLabeledURI

msExchMailboxFolderSet

msExchMailboxGuid

msExchMailboxSecurityDescriptor

msExchMailboxUrl

msExchMasterAccountSid

msExchOmaAdminExtendedSettings

msExchOmaAdminWirelessEnable

msExchOriginatingForest

msExchPfRootUrl

msExchPFTreeType

msExchPoliciesExcluded

msExchPoliciesIncluded

msExchPolicyEnabled

msExchPolicyOptionList

msExchPreviousAccountSid

msExchProxyCustomProxy

msExchQueryBaseDN

msExchRecipLimit

msExchRequireAuthToSendTo

msExchResourceGUID

msExchResourceProperties

msExchTUIPassword

msExchTUISpeed

msExchTUIVolume

msExchUnmergedAttsPt

msExchUseOAB

msExchUserAccountControl

msExchVoiceMailboxID

name

notes

o

objectCategory

objectClass

objectGUID

oOFReplyToOriginator

otherMailbox

ou

pOPCharacterSet

pOPContentFormat

protocolSettings

proxyAddresses

publicDelegatesBL

replicatedObjectVersion

replicationSensitivity

replicationSignature

reportToOriginator

reportToOwner

securityProtocol

servicePrincipalName

showInAddressBook

sn

submissionContLength

supportedAlgorithms

systemFlags

targetAddress

telephoneAssistant

textEncodedORAddress

title

unauthOrig

unauthOrigBL

unmergedAtts

userPrincipalName

Personal Information property set

assistant

c

facsimileTelephoneNumber

homePhone

homePostalAddress

info

internationalISDNNumber

ipPhone

l

mobile

mSMQDigests

mSMQSignCertificates

otherFacsimileTelephoneNumber

otherHomePhone

otherIpPhone

otherMobile

otherPager

otherTelephone

pager

personalTitle

physicalDeliveryOfficeName

postalAddress

postalCode

postOfficeBox

preferredDeliveryMethod

primaryInternationalISDNNumber

primaryTelexNumber

publicDelegates

registeredAddress

st

street

streetAddress

telephoneNumber

teletexTerminalIdentifier

telexNumber

thumbnailPhoto

userCert

userCertificate

userSharedFolder

userSharedFolderOther

userSMIMECertificate

x121Address

However, when it came to delegation of permissions for management of mail recipients, many Active Directory administrators did not assign permissions to Exchange administrators by using these property sets because they provided access to many additional non-Exchange related attributes.

Property Sets in Exchange 2007

Exchange 2007 takes advantage of property sets by creating two new property sets exclusively for Exchange Server, instead of by relying on preexisting Active Directory property sets. Several of the improvements in Exchange 2007 include the following:

  • There is no longer a reliance on default Active Directory property sets. The Exchange-specific property sets address the uncertainty of potential change in future versions of the Active Directory property sets.

  • Attributes created by the Exchange schema extension are the only members of the Exchange-specific property sets.

  • Exchange-specific property sets enable the creation and deployment of a delegated security permission model that is specific to management of Exchange mail recipient data.

During the schema extension phase, Exchange 2007 performs several actions. These include the following:

  • It extends the schema with new classes and attributes.

  • It creates the Exchange Information and Exchange Personal Information property sets.

  • It adds the appropriate attributes to the Exchange Information and Exchange Personal Information property sets.

Exchange 2003 attributes that had been previously added to the Personal Information or Public Information property sets are moved accordingly to the Exchange-specific property sets.

Because attributes are moved between property sets, you must update the Exchange 2003 recipient permission structure when you implement Exchange 2007 in a legacy environment. You do this either by executing the setup /PrepareLegacyExchangePermissions command or the setup /PrepareSchema command. For more information about what the setup /PrepareLegacyExchangePermissions command does, see Preparing Legacy Exchange Permissions.

The Exchange Information property set includes the attributes that are listed in the following table. In addition, Authenticated Users have read access to this property set so that they can look up specific pieces of information about mail recipients, for example, by using the Address Book in Microsoft Office Outlook.

Exchange Information property set

altRecipient

altRecipientBL

attributeCertificate

authOrig

authOrigBL

autoReply

autoReplyMessage

deletedItemFlags

delivContLength

deliverAndRedirect

deliveryMechanism

delivExtContTypes

dLMemberRule

dLMemDefault

dLMemRejectPerms

dLMemRejectPermsBL

dLMemSubmitPerms

dLMemSubmitPermsBL

dnQualifier

enabledProtocols

expirationTime

extensionAttribute1

extensionAttribute10

extensionAttribute11

extensionAttribute12

extensionAttribute13

extensionAttribute14

extensionAttribute15

extensionAttribute2

extensionAttribute3

extensionAttribute4

extensionAttribute5

extensionAttribute6

extensionAttribute7

extensionAttribute8

extensionAttribute9

extensionData

folderPathname

formData

forwardingAddress

heuristics

hideDLMembership

homeMDB

homeMTA

importedFrom

internetEncoding

kMServer

language

languageCode

mailNickname

mAPIRecipient

mDBOverHardQuotaLimit

mDBOverQuotaLimit

mDBStorageQuota

mDBUseDefaults

msExchADCGlobalNames

msExchALObjectVersion

msExchAssistantName

msExchConferenceMailboxBL

msExchControllingZone

msExchCustomProxyAddresses

msExchELCExpirySuspensionEnd

msExchELCExpirySuspensionStart

msExchELCMailboxFlags

msExchExpansionServerName

msExchExternalOOFOptions

msExchFBURL

msExchHideFromAddressLists

msExchHomeServerName

msExchIMACL

msExchIMAddress

msExchIMAPOWAURLPrefixOverride

msExchIMMetaPhysicalURL

msExchIMPhysicalURL

msExchIMVirtualServer

msExchInconsistentState

msExchLabeledURI

msExchMailboxFolderSet

msExchMailboxGuid

msExchMailboxOABVirtualDirectoriesLink

msExchMailboxSecurityDescriptor

msExchMailboxTemplateLink

msExchMailboxUrl

msExchMasterAccountHistory

msExchMasterAccountSid

msExchMaxBlockedSenders

msExchMaxSafeSenders

msExchMDBRulesQuota

msExchMessageHygieneSCLJunkThreshold

msExchMobileAllowedDeviceIDs

msExchMobileDebugLogging

msExchMobileMailboxFlags

msExchMobileMailboxPolicyLink

msExchOmaAdminExtendedSettings

msExchOmaAdminWirelessEnable

msExchOriginatingForest

msExchPfRootUrl

msExchPFTreeType

msExchPoliciesExcluded

msExchPoliciesIncluded

msExchPolicyEnabled

msExchPolicyOptionList

msExchPreviousAccountSid

msExchProxyCustomProxy

msExchPurportedSearchUI

msExchQueryBaseDN

msExchQueryFilterMetadata

msExchRecipientDisplayType

msExchRecipientTypeDetails

msExchRecipLimit

msExchRequireAuthToSendTo

msExchResourceCapacity

msExchResourceDisplay

msExchResourceGUID

msExchResourceMetaData

msExchResourceProperties

msExchResourceSearchProperties

msExchServerAdminDelegationBL

msExchTUIPassword

msExchTUISpeed

msExchTUIVolume

msExchUMAudioCodec

msExchUMDtmfMap

msExchUMEnabledFlags

msExchUMFaxId

msExchUMListInDirectorySearch

msExchUMMaxGreetingDuration

msExchUMOperatorNumber

msExchUMPinPolicyAccountLockoutFailures

msExchUMPinPolicyDisallowCommonPatterns

msExchUMPinPolicyExpiryDays

msExchUMPinPolicyMinPasswordLength

msExchUMRecipientDialPlanLink

msExchUMServerWritableFlags

msExchUMSpokenName

msExchUMTemplateLink

msExchUnmergedAttsPt

msExchUseOAB

msExchUserAccountControl

msExchUserCulture

msExchVersion

msExchVoiceMailboxID

oOFReplyToOriginator

pOPCharacterSet

pOPContentFormat

protocolSettings

publicDelegatesBL

replicatedObjectVersion

replicationSensitivity

replicationSignature

reportToOriginator

reportToOwner

securityProtocol

submissionContLength

supportedAlgorithms

targetAddress

telephoneAssistant

unauthOrig

unauthOrigBL

unmergedAtts

The Exchange Personal Information property set includes the attributes that are listed in the following table. To make sure that ordinary users cannot retrieve the data that is stored in these attributes, the attributes are put into a separate property set where Authenticated Users are not assigned read access.

Exchange Personal Information property set

msExchMessageHygieneFlags

msExchMessageHygieneSCLDeleteThreshold

msExchMessageHygieneSCLQuarantineThreshold

msExchMessageHygieneSCLRejectThreshold

msExchSafeRecipientsHash

msExchSafeSendersHash

msExchUMPinChecksum

For More Information