Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
Earlier versions of Microsoft Exchange Server did not rely heavily on property sets for applying permissions in the domain partition. Although this was not an issue in typical deployments, this became an issue for distributed environments that delegated all tasks. Administrators in these environments had to assign permissions for a multitude of attributes for mail recipients so that appropriate tasks could be delegated in a least-privilege access model. Depending on the version of the Active Directory directory service servers, this can cause serious access control list (ACL) bloat, increasing the size of the Ntds.dit file.
Exchange Server 2007 improves administrative delegation by using property sets for most mail recipient attributes.
What Are Property Sets?
A property set is a grouping of Active Directory attributes. You can control access to this grouping of Active Directory attributes by setting one access control entry (ACE) instead of setting an ACE on each property. Also, an attribute can only be a member of a single property set.
For example, the Personal-Information property set includes properties such as street address and telephone number. Both of these are properties of user objects.
Property Sets in Exchange Server 2003
In Exchange Server 2003, the Exchange schema extension process added many Exchange-related mail recipient attributes to the built-in Active Directory property sets, Personal Information and Public Information. The Exchange Enterprise Servers domain local security groups were assigned access to these property sets on the domain partitions during the domain preparation phase so that Recipient Update Service (RUS) could update objects. The following tables list the attributes in the Personal Information and Public Information property sets.
allowedAttributes |
allowedAttributesEffective |
allowedChildClasses |
allowedChildClassesEffective |
altRecipient |
altRecipientBL |
altSecurityIdentities |
attributeCertificate |
authOrig |
authOrigBL |
autoReply |
autoReplyMessage |
cn |
co |
company |
deletedItemFlags |
delivContLength |
deliverAndRedirect |
deliveryMechanism |
delivExtContTypes |
department |
description |
directReports |
displayNamePrintable |
distinguishedName |
division |
dLMemberRule |
dLMemDefault |
dLMemRejectPerms |
dLMemRejectPermsBL |
dLMemSubmitPerms |
dLMemSubmitPermsBL |
dnQualifier |
enabledProtocols |
expirationTime |
extensionAttribute1 |
extensionAttribute10 |
extensionAttribute11 |
extensionAttribute12 |
extensionAttribute13 |
extensionAttribute14 |
extensionAttribute15 |
extensionAttribute2 |
extensionAttribute3 |
extensionAttribute4 |
extensionAttribute5 |
extensionAttribute6 |
extensionAttribute7 |
extensionAttribute8 |
extensionAttribute9 |
extensionData |
folderPathname |
|
formData |
forwardingAddress |
givenName |
heuristics |
hideDLMembership |
homeMDB |
homeMTA |
importedFrom |
initials |
internetEncoding |
kMServer |
language |
languageCode |
legacyExchangeDN |
mail |
mailNickname |
manager |
mAPIRecipient |
mDBOverHardQuotaLimit |
mDBOverQuotaLimit |
mDBStorageQuota |
mDBUseDefaults |
msDS-AllowedToDelegateTo |
msDS-Approx-Immed-Subordinates |
msDS-Auxiliary-Classes |
msExchADCGlobalNames |
msExchALObjectVersion |
msExchAssistantName |
msExchConferenceMailboxBL |
msExchControllingZone |
msExchCustomProxyAddresses |
msExchExpansionServerName |
msExchFBURL |
msExchHideFromAddressLists |
msExchHomeServerName |
msExchIMACL |
msExchIMAddress |
msExchIMAPOWAURLPrefixOverride |
msExchIMMetaPhysicalURL |
msExchIMPhysicalURL |
msExchIMVirtualServer |
msExchInconsistentState |
msExchLabeledURI |
msExchMailboxFolderSet |
msExchMailboxGuid |
msExchMailboxSecurityDescriptor |
msExchMailboxUrl |
msExchMasterAccountSid |
msExchOmaAdminExtendedSettings |
msExchOmaAdminWirelessEnable |
msExchOriginatingForest |
msExchPfRootUrl |
|
msExchPFTreeType |
msExchPoliciesExcluded |
msExchPoliciesIncluded |
msExchPolicyEnabled |
msExchPolicyOptionList |
msExchPreviousAccountSid |
msExchProxyCustomProxy |
msExchQueryBaseDN |
msExchRecipLimit |
msExchRequireAuthToSendTo |
msExchResourceGUID |
msExchResourceProperties |
msExchTUIPassword |
msExchTUISpeed |
msExchTUIVolume |
msExchUnmergedAttsPt |
msExchUseOAB |
msExchUserAccountControl |
msExchVoiceMailboxID |
name |
notes |
o |
objectCategory |
objectClass |
objectGUID |
oOFReplyToOriginator |
otherMailbox |
ou |
pOPCharacterSet |
pOPContentFormat |
protocolSettings |
proxyAddresses |
publicDelegatesBL |
replicatedObjectVersion |
replicationSensitivity |
replicationSignature |
reportToOriginator |
reportToOwner |
securityProtocol |
servicePrincipalName |
showInAddressBook |
sn |
submissionContLength |
supportedAlgorithms |
systemFlags |
targetAddress |
telephoneAssistant |
textEncodedORAddress |
title |
unauthOrig |
unauthOrigBL |
unmergedAtts |
userPrincipalName |
|
assistant |
c |
facsimileTelephoneNumber |
homePhone |
homePostalAddress |
info |
internationalISDNNumber |
ipPhone |
l |
mobile |
mSMQDigests |
mSMQSignCertificates |
otherFacsimileTelephoneNumber |
otherHomePhone |
|
otherIpPhone |
otherMobile |
otherPager |
otherTelephone |
pager |
personalTitle |
physicalDeliveryOfficeName |
postalAddress |
postalCode |
postOfficeBox |
preferredDeliveryMethod |
primaryInternationalISDNNumber |
primaryTelexNumber |
publicDelegates |
|
registeredAddress |
st |
street |
streetAddress |
telephoneNumber |
teletexTerminalIdentifier |
telexNumber |
thumbnailPhoto |
userCert |
userCertificate |
userSharedFolder |
userSharedFolderOther |
userSMIMECertificate |
x121Address |
|
However, when it came to delegation of permissions for management of mail recipients, many Active Directory administrators did not assign permissions to Exchange administrators by using these property sets because they provided access to many additional non-Exchange related attributes.
Property Sets in Exchange 2007
Exchange 2007 takes advantage of property sets by creating two new property sets exclusively for Exchange Server, instead of by relying on preexisting Active Directory property sets. Several of the improvements in Exchange 2007 include the following:
There is no longer a reliance on default Active Directory property sets. The Exchange-specific property sets address the uncertainty of potential change in future versions of the Active Directory property sets.
Attributes created by the Exchange schema extension are the only members of the Exchange-specific property sets.
Exchange-specific property sets enable the creation and deployment of a delegated security permission model that is specific to management of Exchange mail recipient data.
During the schema extension phase, Exchange 2007 performs several actions. These include the following:
It extends the schema with new classes and attributes.
It creates the Exchange Information and Exchange Personal Information property sets.
It adds the appropriate attributes to the Exchange Information and Exchange Personal Information property sets.
Exchange 2003 attributes that had been previously added to the Personal Information or Public Information property sets are moved accordingly to the Exchange-specific property sets.
Because attributes are moved between property sets, you must update the Exchange 2003 recipient permission structure when you implement Exchange 2007 in a legacy environment. You do this either by executing the setup /PrepareLegacyExchangePermissions command or the setup /PrepareSchema command. For more information about what the setup /PrepareLegacyExchangePermissions command does, see Preparing Legacy Exchange Permissions.
The Exchange Information property set includes the attributes that are listed in the following table. In addition, Authenticated Users have read access to this property set so that they can look up specific pieces of information about mail recipients, for example, by using the Address Book in Microsoft Office Outlook.
altRecipient |
altRecipientBL |
attributeCertificate |
authOrig |
authOrigBL |
autoReply |
autoReplyMessage |
deletedItemFlags |
delivContLength |
deliverAndRedirect |
deliveryMechanism |
delivExtContTypes |
dLMemberRule |
dLMemDefault |
dLMemRejectPerms |
dLMemRejectPermsBL |
dLMemSubmitPerms |
dLMemSubmitPermsBL |
dnQualifier |
enabledProtocols |
expirationTime |
extensionAttribute1 |
extensionAttribute10 |
extensionAttribute11 |
extensionAttribute12 |
extensionAttribute13 |
extensionAttribute14 |
extensionAttribute15 |
extensionAttribute2 |
extensionAttribute3 |
extensionAttribute4 |
extensionAttribute5 |
extensionAttribute6 |
extensionAttribute7 |
extensionAttribute8 |
extensionAttribute9 |
extensionData |
folderPathname |
formData |
forwardingAddress |
heuristics |
hideDLMembership |
homeMDB |
homeMTA |
importedFrom |
internetEncoding |
kMServer |
language |
languageCode |
mailNickname |
mAPIRecipient |
mDBOverHardQuotaLimit |
mDBOverQuotaLimit |
|
mDBStorageQuota |
mDBUseDefaults |
msExchADCGlobalNames |
msExchALObjectVersion |
msExchAssistantName |
msExchConferenceMailboxBL |
msExchControllingZone |
msExchCustomProxyAddresses |
msExchELCExpirySuspensionEnd |
msExchELCExpirySuspensionStart |
msExchELCMailboxFlags |
msExchExpansionServerName |
msExchExternalOOFOptions |
msExchFBURL |
msExchHideFromAddressLists |
msExchHomeServerName |
msExchIMACL |
msExchIMAddress |
msExchIMAPOWAURLPrefixOverride |
msExchIMMetaPhysicalURL |
msExchIMPhysicalURL |
msExchIMVirtualServer |
msExchInconsistentState |
msExchLabeledURI |
msExchMailboxFolderSet |
msExchMailboxGuid |
msExchMailboxOABVirtualDirectoriesLink |
msExchMailboxSecurityDescriptor |
msExchMailboxTemplateLink |
msExchMailboxUrl |
msExchMasterAccountHistory |
msExchMasterAccountSid |
msExchMaxBlockedSenders |
msExchMaxSafeSenders |
msExchMDBRulesQuota |
msExchMessageHygieneSCLJunkThreshold |
msExchMobileAllowedDeviceIDs |
msExchMobileDebugLogging |
msExchMobileMailboxFlags |
msExchMobileMailboxPolicyLink |
msExchOmaAdminExtendedSettings |
msExchOmaAdminWirelessEnable |
msExchOriginatingForest |
msExchPfRootUrl |
msExchPFTreeType |
msExchPoliciesExcluded |
msExchPoliciesIncluded |
msExchPolicyEnabled |
msExchPolicyOptionList |
msExchPreviousAccountSid |
msExchProxyCustomProxy |
msExchPurportedSearchUI |
|
msExchQueryBaseDN |
msExchQueryFilterMetadata |
msExchRecipientDisplayType |
msExchRecipientTypeDetails |
msExchRecipLimit |
msExchRequireAuthToSendTo |
msExchResourceCapacity |
msExchResourceDisplay |
msExchResourceGUID |
msExchResourceMetaData |
msExchResourceProperties |
msExchResourceSearchProperties |
msExchServerAdminDelegationBL |
msExchTUIPassword |
msExchTUISpeed |
msExchTUIVolume |
msExchUMAudioCodec |
msExchUMDtmfMap |
msExchUMEnabledFlags |
msExchUMFaxId |
msExchUMListInDirectorySearch |
msExchUMMaxGreetingDuration |
msExchUMOperatorNumber |
msExchUMPinPolicyAccountLockoutFailures |
msExchUMPinPolicyDisallowCommonPatterns |
msExchUMPinPolicyExpiryDays |
msExchUMPinPolicyMinPasswordLength |
msExchUMRecipientDialPlanLink |
msExchUMServerWritableFlags |
msExchUMSpokenName |
msExchUMTemplateLink |
msExchUnmergedAttsPt |
msExchUseOAB |
msExchUserAccountControl |
msExchUserCulture |
msExchVersion |
msExchVoiceMailboxID |
oOFReplyToOriginator |
pOPCharacterSet |
pOPContentFormat |
protocolSettings |
publicDelegatesBL |
replicatedObjectVersion |
replicationSensitivity |
replicationSignature |
reportToOriginator |
reportToOwner |
securityProtocol |
submissionContLength |
supportedAlgorithms |
targetAddress |
telephoneAssistant |
unauthOrig |
unauthOrigBL |
unmergedAtts |
|
The Exchange Personal Information property set includes the attributes that are listed in the following table. To make sure that ordinary users cannot retrieve the data that is stored in these attributes, the attributes are put into a separate property set where Authenticated Users are not assigned read access.
msExchMessageHygieneFlags |
msExchMessageHygieneSCLDeleteThreshold |
msExchMessageHygieneSCLQuarantineThreshold |
msExchMessageHygieneSCLRejectThreshold |
msExchSafeRecipientsHash |
msExchSafeSendersHash |
msExchUMPinChecksum |
|
For more information, see the following topics: