In Exchange Server 2003 and Exchange 2000 Server, the Recipient Update Service updates some mailbox attributes, such as the proxy address, on mail-enabled user objects. The Recipient Update Service has permission to modify these attributes because the computer account (named <ServerName>) for the server on which the Recipient Update Service runs, is in the Exchange Enterprise Servers (EES) group. The EES group is created when you run Exchange Server 2003 or Exchange 2000 Server DomainPrep. Instead of granting the EES group permissions to each individual mailbox attribute that the Recipient Update Service must modify, the mailbox attributes are grouped together in property sets. When you run Exchange Server 2003 or Exchange 2000 Server DomainPrep, Exchange provides the EES group with permissions to modify the property sets through access control entries (ACEs) that Exchange sets on the domain container in Active Directory.

Exchange 2007 has a new predefined Exchange Administrator role called Exchange Recipient Administrators. This role contains permissions to manage the e-mail attributes of all users. Exchange administrators who are members of the Exchange Recipient Administrators role can manage only users' e-mail properties. To enable this functionality, Exchange 2007 must move some e-mail attributes of users into a property set called the "Exchange-Information property set." Exchange does this by redefining the attribute schemas in Active Directory when importing the new Exchange 2007 schema. However, the legacy EES group does not have permissions to the Exchange-Information property set. Therefore, when you import the new Exchange 2007 schema, the Recipient Update Service will no longer have permissions to the users' e-mail attributes and will stop functioning correctly. (For example, it will not be able to set proxy addresses for newly created Exchange Server 2003 users.)

Running the setup /PrepareLegacyExchangePermissions command enables the legacy Recipient Update Service to function correctly. Before importing the new Exchange 2007 schema, Exchange 2007 must grant new permissions in each domain in which you have run Exchange Server 2003 or Exchange 2000 Server DomainPrep. The setup /PrepareLegacyExchangePermissions command grants these new permissions. Before you run setup /PrepareSchema, you must run setup /PrepareLegacyExchangePermissions and allow the permissions to replicate across your Exchange organization. The server where you run setup /PrepareLegacyExchangePermissions contacts the local global catalog to locate the domains in which you have run Exchange Server 2003 or Exchange 2000 Server DomainPrep by checking for the EES and Exchange Domain Servers (EDS) groups. The server must be able to communicate with every domain in the forest in which you ran Exchange Server 2003 or Exchange 2000 Server DomainPrep. Also, the account that you use to run setup /PrepareLegacyExchangePermissions must have the permissions assigned to the Enterprise Admins universal security group (USG) so that it can set the ACEs in each domain and in the Exchange organization.