Property Sets in Exchange Server 2007



NOTE: This article has also been published in the official Exchange 2007 documentation - http://technet.microsoft.com/en-us/library/bb310768.aspx.  We recommend that you check the documentation for the most up-to-date version.


Overview

Previous versions of Exchange did not rely on the usage of property sets to a great extent for applying permissions in the domain partition. While this was not an issue in typical deployments, this became an issue for distributed environments that delegated all tasks. Administrators in these environments had to assign permissions for a multitude of attributes for mail recipients, so that appropriate tasks could be delegated using a least privilege access model. Depending on the version of the Active Directory servers, this could have lead to a serious bloat in the Access Control Lists, thus increasing the size of the NTDS.DIT file.

Exchange 2007 improves the delegation story by utilizing property sets for the vast majority of mail recipient attributes.

Property Sets

For those that are not familiar with property sets, a property set is a grouping of attributes that enables controlling access to a subset of an object's properties by setting one single Access Control Entry (ACE), rather than setting an ACE per individual property. Also, an attribute can only be a member of a single property set.

For example, the Personal-Information property set includes properties such as street address and telephone number, both of which are properties of user objects.

Property Set Usage in Exchange Server 2003

In Exchange Server 2003, the Exchange schema extension process added many Exchange related mail recipient attributes into the built-in Active Directory property sets, Personal Information and Public Information. The Exchange Enterprise Servers domain local security groups were assigned access to these property sets on the domain partitions during the domain preparation phase so that Recipient Update Service (RUS) could stamp objects.


Public Information property set















































































































































































































































allowedAttributes


 


formData


allowedAttributesEffective


forwardingAddress


allowedChildClasses


givenName


allowedChildClassesEffective


heuristics


altRecipient


hideDLMembership


altRecipientBL


homeMDB


altSecurityIdentities


homeMTA


attributeCertificate


importedFrom


authOrig


Initials


authOrigBL


msExchIMAddress


autoReply


msExchIMAPOWAURLPrefixOverride


autoReplyMessage


msExchIMMetaPhysicalURL


cn


msExchIMPhysicalURL


co


msExchIMVirtualServer


company


msExchInconsistentState


deletedItemFlags


msExchLabeledURI


delivContLength


msExchMailboxFolderSet


deliverAndRedirect


msExchMailboxGuid


deliveryMechanism


msExchMailboxSecurityDescriptor


delivExtContTypes


msExchMailboxUrl


department


msExchMasterAccountSid


description


msExchOmaAdminExtendedSettings


directReports


msExchOmaAdminWirelessEnable


displayNamePrintable


msExchOriginatingForest


distinguishedName


msExchPfRootUrl


division


msExchPFTreeType


dLMemberRule


msExchPoliciesExcluded


dLMemDefault


msExchPoliciesIncluded


dLMemRejectPerms


msExchPolicyEnabled


dLMemRejectPermsBL


msExchPolicyOptionList


dLMemSubmitPerms


msExchPreviousAccountSid


dLMemSubmitPermsBL


msExchProxyCustomProxy


dnQualifier


msExchQueryBaseDN


enabledProtocols


msExchRecipLimit


expirationTime


msExchRequireAuthToSendTo


extensionAttribute1


msExchResourceGUID


extensionAttribute10


msExchResourceProperties


extensionAttribute11


msExchTUIPassword


extensionAttribute12


msExchTUISpeed


extensionAttribute13


msExchTUIVolume


extensionAttribute14


msExchUnmergedAttsPt


extensionAttribute15


msExchUseOAB


extensionAttribute2


msExchUserAccountControl


extensionAttribute3


msExchVoiceMailboxID


extensionAttribute4


name


extensionAttribute5


notes


extensionAttribute6


o


extensionAttribute7


objectCategory


extensionAttribute8


objectClass


extensionAttribute9


objectGUID


extensionData


oOFReplyToOriginator


folderPathname


otherMailbox


internetEncoding


ou


kMServer


pOPCharacterSet


language


pOPContentFormat


languageCode


protocolSettings


legacyExchangeDN


proxyAddresses


mail


publicDelegatesBL


mailNickname


replicatedObjectVersion


manager


replicationSensitivity


mAPIRecipient


replicationSignature


mDBOverHardQuotaLimit


reportToOriginator


mDBOverQuotaLimit


reportToOwner


mDBStorageQuota


securityProtocol


mDBUseDefaults


servicePrincipalName


msDS-AllowedToDelegateTo


showInAddressBook


msDS-Approx-Immed-Subordinates


sn


msDS-Auxiliary-Classes


submissionContLength


msExchADCGlobalNames


supportedAlgorithms


msExchALObjectVersion


systemFlags


msExchAssistantName


targetAddress


msExchConferenceMailboxBL


telephoneAssistant


msExchControllingZone


textEncodedORAddress


msExchCustomProxyAddresses


title


msExchExpansionServerName


unauthOrig


msExchFBURL


unauthOrigBL


msExchHideFromAddressLists


unmergedAtts


msExchHomeServerName


userPrincipalName


msExchIMACL


 


Personal Information property set

































































assistant


physicalDeliveryOfficeName


c


postalAddress


facsimileTelephoneNumber


postalCode


homePhone


postOfficeBox


homePostalAddress


preferredDeliveryMethod


info


primaryInternationalISDNNumber


internationalISDNNumber


primaryTelexNumber


ipPhone


publicDelegates


l


registeredAddress


mobile


st


mSMQDigests


street


mSMQSignCertificates


streetAddress


otherFacsimileTelephoneNumber


telephoneNumber


otherHomePhone


teletexTerminalIdentifier


otherIpPhone


telexNumber


otherMobile


thumbnailPhoto


otherPager


userCert


otherTelephone


userCertificate


pager


userSharedFolder


personalTitle


userSharedFolderOther


 


X121Address


However, when it came to delegation of permissions for management of mail recipients, many Active Directory administrators did not assign permissions to Exchange administrators using these property sets since they provided access to many additional non-Exchange related attributes.

Property Set Usage in Exchange Server 2007

Exchange 2007 takes advantage of property sets by creating two new property sets exclusively for Exchange, rather than relying on pre-existing Active Directory property sets. This addresses several issues that existed with previous versions of Exchange:


  • There is no longer a reliance on default Active Directory property sets, which addresses the uncertainty of those property sets as they could change in future release cycles of Windows Server Active Directory.
  • Ensures that only attributes created by the Exchange schema extension are members of the Exchange specific property sets.
  • Allows for the creation and deployment of a delegated security permission model with regards to management of Exchange mail recipient data.

During the schema extension phase, Exchange 2007 performs several actions:


  • Extends the schema with new classes and attributes.
  • Creates the property sets, Exchange Information and Exchange Personal Information.
  • Adds the appropriate attributes to the Exchange Information and Exchange Personal Information property sets.

Exchange 2003 attributes that had been previously added to the Personal Information or Public Information property sets will be moved accordingly to the Exchange specific property sets.

As a result of moving attributes between property sets, the Exchange 2003 recipient permission structure requires updating when implementing Exchange 2007 in a legacy environment. This is accomplished either via executing /PrepareLegacyExchangePermissions or /PrepareSchema. For more information on what /PrepareLegacyExchangePermissions actually does, please see http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/4c32f70c-d42b-4bf4-995e-65b68a947194.mspx.

The Exchange Information property set includes the attributes listed in the following table. In addition, Authenticated Users have read access to this property set. This allows authenticated users to look up certain pieces of information about mail recipients (e.g. via the Address Book).

Exchange Information property set
















































































































altRecipient


altRecipientBL


attributeCertificate


authOrig


authOrigBL


autoReply


autoReplyMessage


deletedItemFlags


delivContLength


deliverAndRedirect


deliveryMechanism


delivExtContTypes


dLMemberRule


dLMemDefault


dLMemRejectPerms


dLMemRejectPermsBL


dLMemSubmitPerms


dLMemSubmitPermsBL


dnQualifier


enabledProtocols


expirationTime


extensionAttribute1


extensionAttribute10


extensionAttribute11


extensionAttribute12


extensionAttribute13


extensionAttribute14


extensionAttribute15


extensionAttribute2


extensionAttribute3


extensionAttribute4


extensionAttribute5


extensionAttribute6


extensionAttribute7


extensionAttribute8


extensionAttribute9


extensionData


folderPathname


formData


forwardingAddress


heuristics


hideDLMembership


homeMDB


homeMTA


importedFrom


internetEncoding


kMServer


language


languageCode


mailNickname


mAPIRecipient


mDBOverHardQuotaLimit


mDBOverQuotaLimit













































































































altRecipient


altRecipientBL


attributeCertificate


authOrig


authOrigBL


autoReply


autoReplyMessage


deletedItemFlags


delivContLength


deliverAndRedirect


deliveryMechanism


delivExtContTypes


dLMemberRule


dLMemDefault


dLMemRejectPerms


dLMemRejectPermsBL


dLMemSubmitPerms


dLMemSubmitPermsBL


dnQualifier


enabledProtocols


expirationTime


extensionAttribute1


extensionAttribute10


extensionAttribute11


extensionAttribute12


extensionAttribute13


extensionAttribute14


extensionAttribute15


extensionAttribute2


extensionAttribute3


extensionAttribute4


extensionAttribute5


extensionAttribute6


extensionAttribute7


extensionAttribute8


extensionAttribute9


extensionData


folderPathname


formData


forwardingAddress


heuristics


hideDLMembership


homeMDB


homeMTA


importedFrom


internetEncoding


kMServer


language


languageCode


mailNickname


mAPIRecipient


mDBOverHardQuotaLimit


mDBOverQuotaLimit













































































































altRecipient


altRecipientBL


attributeCertificate


authOrig


authOrigBL


autoReply


autoReplyMessage


deletedItemFlags


delivContLength


deliverAndRedirect


deliveryMechanism


delivExtContTypes


dLMemberRule


dLMemDefault


dLMemRejectPerms


dLMemRejectPermsBL


dLMemSubmitPerms


dLMemSubmitPermsBL


dnQualifier


enabledProtocols


expirationTime


extensionAttribute1


extensionAttribute10


extensionAttribute11


extensionAttribute12


extensionAttribute13


extensionAttribute14


extensionAttribute15


extensionAttribute2


extensionAttribute3


extensionAttribute4


extensionAttribute5


extensionAttribute6


extensionAttribute7


extensionAttribute8


extensionAttribute9


extensionData


folderPathname


formData


forwardingAddress


heuristics


hideDLMembership


homeMDB


homeMTA


importedFrom


internetEncoding


kMServer


language


languageCode


mailNickname


mAPIRecipient


mDBOverHardQuotaLimit


mDBOverQuotaLimit



The Exchange Personal Information property set includes the attributes listed in the following table. These attributes are sensitive in nature, so to ensure that normal users cannot look retrieve the data stored within these attributes, they are placed into a separate property set where Authenticated Users are not assigned read access.

Exchange Personal Information property set
















msExchMessageHygieneFlags


msExchMessageHygieneSCLDeleteThreshold


msExchMessageHygieneSCLQuarantineThreshold


msExchMessageHygieneSCLRejectThreshold


msExchSafeRecipientsHash


msExchSafeSendersHash


msExchUMPinChecksum


- Ross Smith IV

Comments (4)
  1. Tim H says:

    So does this mean that the delegation wizard(s) have been updated to allow for more discreet permission application? Have additional roles been created (like mailbox admin – to perform any mailbox related permissions changes/address changes, etc)?

  2. Exchange says:

    Hi Tim,

    In Exchange 2007, the permission model has changed.  We now use universal security groups for management of Exchange as opposed to adding access control entries within the configuration container.  Membership of these groups can be conrolled through the Exchangement Management Shell or Console.  

    – Exchange Organization Administrators -> controls all aspect of the org

    – Exchange Recipient Administrators -> have permissions within the forest to manage mail recipients

    – Exchange View-Only Administrators -> have permissions to view Exchange configuration data

    ….to be continued on next comment

  3. Exchange says:

    ….continued from last comment:

    Note that there is also an Exchange Server Administrators role that you can delegate management of a particular server to an admin, but this is not controlled by group management, instead we add the access control entries directly on the server object within the configuration partition).

    As far a discrete permission model…I will be posting a blog in the next few weeks that begins to go into that.  For now, the implementation of the property sets allows us to better control mail-related attributes and reduces the number of access control entries that have to be granted.  Unfortunately there is still not a mailbox administrator role, and elevated permissions are still required for certain operations (e.g. move mailbox).

    Hope this helps,

    Ross

  4. Anonymous says:

    I have previously listed the progress we’ve been making in posting ITPro focused Systems Management blog

Comments are closed.

Skip to main content