NOTE: This article has also been published in the official Exchange 2007 documentation - http://technet.microsoft.com/en-us/library/bb310768.aspx. We recommend that you check the documentation for the most up-to-date version.
Previous versions of Exchange did not rely on the usage of property sets to a great extent for applying permissions in the domain partition. While this was not an issue in typical deployments, this became an issue for distributed environments that delegated all tasks. Administrators in these environments had to assign permissions for a multitude of attributes for mail recipients, so that appropriate tasks could be delegated using a least privilege access model. Depending on the version of the Active Directory servers, this could have lead to a serious bloat in the Access Control Lists, thus increasing the size of the NTDS.DIT file.
Exchange 2007 improves the delegation story by utilizing property sets for the vast majority of mail recipient attributes.
For those that are not familiar with property sets, a property set is a grouping of attributes that enables controlling access to a subset of an object's properties by setting one single Access Control Entry (ACE), rather than setting an ACE per individual property. Also, an attribute can only be a member of a single property set.
For example, the Personal-Information property set includes properties such as street address and telephone number, both of which are properties of user objects.
Property Set Usage in Exchange Server 2003
In Exchange Server 2003, the Exchange schema extension process added many Exchange related mail recipient attributes into the built-in Active Directory property sets, Personal Information and Public Information. The Exchange Enterprise Servers domain local security groups were assigned access to these property sets on the domain partitions during the domain preparation phase so that Recipient Update Service (RUS) could stamp objects.
Public Information property set
Personal Information property set
However, when it came to delegation of permissions for management of mail recipients, many Active Directory administrators did not assign permissions to Exchange administrators using these property sets since they provided access to many additional non-Exchange related attributes.
Property Set Usage in Exchange Server 2007
Exchange 2007 takes advantage of property sets by creating two new property sets exclusively for Exchange, rather than relying on pre-existing Active Directory property sets. This addresses several issues that existed with previous versions of Exchange:
- There is no longer a reliance on default Active Directory property sets, which addresses the uncertainty of those property sets as they could change in future release cycles of Windows Server Active Directory.
- Ensures that only attributes created by the Exchange schema extension are members of the Exchange specific property sets.
- Allows for the creation and deployment of a delegated security permission model with regards to management of Exchange mail recipient data.
During the schema extension phase, Exchange 2007 performs several actions:
- Extends the schema with new classes and attributes.
- Creates the property sets, Exchange Information and Exchange Personal Information.
- Adds the appropriate attributes to the Exchange Information and Exchange Personal Information property sets.
Exchange 2003 attributes that had been previously added to the Personal Information or Public Information property sets will be moved accordingly to the Exchange specific property sets.
As a result of moving attributes between property sets, the Exchange 2003 recipient permission structure requires updating when implementing Exchange 2007 in a legacy environment. This is accomplished either via executing /PrepareLegacyExchangePermissions or /PrepareSchema. For more information on what /PrepareLegacyExchangePermissions actually does, please see http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/4c32f70c-d42b-4bf4-995e-65b68a947194.mspx.
The Exchange Information property set includes the attributes listed in the following table. In addition, Authenticated Users have read access to this property set. This allows authenticated users to look up certain pieces of information about mail recipients (e.g. via the Address Book).
Exchange Information property set
The Exchange Personal Information property set includes the attributes listed in the following table. These attributes are sensitive in nature, so to ensure that normal users cannot look retrieve the data stored within these attributes, they are placed into a separate property set where Authenticated Users are not assigned read access.
Exchange Personal Information property set