NOTE: This article has also been published in the official Exchange 2007 documentation - http://technet.microsoft.com/en-us/library/bb310768.aspx. We recommend that you check the documentation for the most up-to-date version.
Overview
Previous versions of Exchange did not rely on the usage of property sets to a great extent for applying permissions in the domain partition. While this was not an issue in typical deployments, this became an issue for distributed environments that delegated all tasks. Administrators in these environments had to assign permissions for a multitude of attributes for mail recipients, so that appropriate tasks could be delegated using a least privilege access model. Depending on the version of the Active Directory servers, this could have lead to a serious bloat in the Access Control Lists, thus increasing the size of the NTDS.DIT file.
Exchange 2007 improves the delegation story by utilizing property sets for the vast majority of mail recipient attributes.
Property Sets
For those that are not familiar with property sets, a property set is a grouping of attributes that enables controlling access to a subset of an object's properties by setting one single Access Control Entry (ACE), rather than setting an ACE per individual property. Also, an attribute can only be a member of a single property set.
For example, the Personal-Information property set includes properties such as street address and telephone number, both of which are properties of user objects.
Property Set Usage in Exchange Server 2003
In Exchange Server 2003, the Exchange schema extension process added many Exchange related mail recipient attributes into the built-in Active Directory property sets, Personal Information and Public Information. The Exchange Enterprise Servers domain local security groups were assigned access to these property sets on the domain partitions during the domain preparation phase so that Recipient Update Service (RUS) could stamp objects.
Public Information property set
|
allowedAttributes |
formData |
|
allowedAttributesEffective |
forwardingAddress |
|
allowedChildClasses |
givenName |
|
allowedChildClassesEffective |
heuristics |
|
altRecipient |
hideDLMembership |
|
altRecipientBL |
homeMDB |
|
altSecurityIdentities |
homeMTA |
|
attributeCertificate |
importedFrom |
|
authOrig |
Initials |
|
authOrigBL |
msExchIMAddress |
|
autoReply |
msExchIMAPOWAURLPrefixOverride |
|
autoReplyMessage |
msExchIMMetaPhysicalURL |
|
cn |
msExchIMPhysicalURL |
|
co |
msExchIMVirtualServer |
|
company |
msExchInconsistentState |
|
deletedItemFlags |
msExchLabeledURI |
|
delivContLength |
msExchMailboxFolderSet |
|
deliverAndRedirect |
msExchMailboxGuid |
|
deliveryMechanism |
msExchMailboxSecurityDescriptor |
|
delivExtContTypes |
msExchMailboxUrl |
|
department |
msExchMasterAccountSid |
|
description |
msExchOmaAdminExtendedSettings |
|
directReports |
msExchOmaAdminWirelessEnable |
|
displayNamePrintable |
msExchOriginatingForest |
|
distinguishedName |
msExchPfRootUrl |
|
division |
msExchPFTreeType |
|
dLMemberRule |
msExchPoliciesExcluded |
|
dLMemDefault |
msExchPoliciesIncluded |
|
dLMemRejectPerms |
msExchPolicyEnabled |
|
dLMemRejectPermsBL |
msExchPolicyOptionList |
|
dLMemSubmitPerms |
msExchPreviousAccountSid |
|
dLMemSubmitPermsBL |
msExchProxyCustomProxy |
|
dnQualifier |
msExchQueryBaseDN |
|
enabledProtocols |
msExchRecipLimit |
|
expirationTime |
msExchRequireAuthToSendTo |
|
extensionAttribute1 |
msExchResourceGUID |
|
extensionAttribute10 |
msExchResourceProperties |
|
extensionAttribute11 |
msExchTUIPassword |
|
extensionAttribute12 |
msExchTUISpeed |
|
extensionAttribute13 |
msExchTUIVolume |
|
extensionAttribute14 |
msExchUnmergedAttsPt |
|
extensionAttribute15 |
msExchUseOAB |
|
extensionAttribute2 |
msExchUserAccountControl |
|
extensionAttribute3 |
msExchVoiceMailboxID |
|
extensionAttribute4 |
name |
|
extensionAttribute5 |
notes |
|
extensionAttribute6 |
o |
|
extensionAttribute7 |
objectCategory |
|
extensionAttribute8 |
objectClass |
|
extensionAttribute9 |
objectGUID |
|
extensionData |
oOFReplyToOriginator |
|
folderPathname |
otherMailbox |
|
internetEncoding |
ou |
|
kMServer |
pOPCharacterSet |
|
language |
pOPContentFormat |
|
languageCode |
protocolSettings |
|
legacyExchangeDN |
proxyAddresses |
|
mail |
publicDelegatesBL |
|
mailNickname |
replicatedObjectVersion |
|
manager |
replicationSensitivity |
|
mAPIRecipient |
replicationSignature |
|
mDBOverHardQuotaLimit |
reportToOriginator |
|
mDBOverQuotaLimit |
reportToOwner |
|
mDBStorageQuota |
securityProtocol |
|
mDBUseDefaults |
servicePrincipalName |
|
msDS-AllowedToDelegateTo |
showInAddressBook |
|
msDS-Approx-Immed-Subordinates |
sn |
|
msDS-Auxiliary-Classes |
submissionContLength |
|
msExchADCGlobalNames |
supportedAlgorithms |
|
msExchALObjectVersion |
systemFlags |
|
msExchAssistantName |
targetAddress |
|
msExchConferenceMailboxBL |
telephoneAssistant |
|
msExchControllingZone |
textEncodedORAddress |
|
msExchCustomProxyAddresses |
title |
|
msExchExpansionServerName |
unauthOrig |
|
msExchFBURL |
unauthOrigBL |
|
msExchHideFromAddressLists |
unmergedAtts |
|
msExchHomeServerName |
userPrincipalName |
|
msExchIMACL |
|
Personal Information property set
|
assistant |
physicalDeliveryOfficeName |
|
c |
postalAddress |
|
facsimileTelephoneNumber |
postalCode |
|
homePhone |
postOfficeBox |
|
homePostalAddress |
preferredDeliveryMethod |
|
info |
primaryInternationalISDNNumber |
|
internationalISDNNumber |
prima |