Property Sets in Exchange Server 2007
NOTE: This article has also been published in the official Exchange 2007 documentation - http://technet.microsoft.com/en-us/library/bb310768.aspx. We recommend that you check the documentation for the most up-to-date version. Overview Previous versions of Exchange did not rely on the usage of property sets to a great extent for applying permissions in the domain partition. While this was not an issue in typical deployments, this became an issue for distributed environments that delegated all tasks. Administrators in these environments had to assign permissions for a multitude of attributes for mail recipients, so that appropriate tasks could be delegated using a least privilege access model. Depending on the version of the Active Directory servers, this could have lead to a serious bloat in the Access Control Lists, thus increasing the size of the NTDS.DIT file. Exchange 2007 improves the delegation story by utilizing property sets for the vast majority of mail recipient attributes. Property Sets For those that are not familiar with property sets, a property set is a grouping of attributes that enables controlling access to a subset of an object's properties by setting one single Access Control Entry (ACE), rather than setting an ACE per individual property. Also, an attribute can only be a member of a single property set. For example, the Personal-Information property set includes properties such as street address and telephone number, both of which are properties of user objects. Property Set Usage in Exchange Server 2003 In Exchange Server 2003, the Exchange schema extension process added many Exchange related mail recipient attributes into the built-in Active Directory property sets, Personal Information and Public Information. The Exchange Enterprise Servers domain local security groups were assigned access to these property sets on the domain partitions during the domain preparation phase so that Recipient Update Service (RUS) could stamp objects. Public Information property set allowedAttributes formData allowedAttributesEffective forwardingAddress allowedChildClasses givenName allowedChildClassesEffective heuristics altRecipient hideDLMembership altRecipientBL homeMDB altSecurityIdentities homeMTA attributeCertificate importedFrom authOrig Initials authOrigBL msExchIMAddress autoReply msExchIMAPOWAURLPrefixOverride autoReplyMessage msExchIMMetaPhysicalURL cn msExchIMPhysicalURL co msExchIMVirtualServer company msExchInconsistentState deletedItemFlags msExchLabeledURI delivContLength msExchMailboxFolderSet deliverAndRedirect msExchMailboxGuid deliveryMechanism msExchMailboxSecurityDescriptor delivExtContTypes msExchMailboxUrl department msExchMasterAccountSid description msExchOmaAdminExtendedSettings directReports msExchOmaAdminWirelessEnable displayNamePrintable msExchOriginatingForest distinguishedName msExchPfRootUrl division msExchPFTreeType dLMemberRule msExchPoliciesExcluded dLMemDefault msExchPoliciesIncluded dLMemRejectPerms msExchPolicyEnabled dLMemRejectPermsBL msExchPolicyOptionList dLMemSubmitPerms msExchPreviousAccountSid dLMemSubmitPermsBL msExchProxyCustomProxy dnQualifier msExchQueryBaseDN enabledProtocols msExchRecipLimit expirationTime msExchRequireAuthToSendTo extensionAttribute1 msExchResourceGUID extensionAttribute10 msExchResourceProperties extensionAttribute11 msExchTUIPassword extensionAttribute12 msExchTUISpeed extensionAttribute13 msExchTUIVolume extensionAttribute14 msExchUnmergedAttsPt extensionAttribute15 msExchUseOAB extensionAttribute2 msExchUserAccountControl extensionAttribute3 msExchVoiceMailboxID extensionAttribute4 name extensionAttribute5 notes extensionAttribute6 o extensionAttribute7 objectCategory extensionAttribute8 objectClass extensionAttribute9 objectGUID extensionData oOFReplyToOriginator folderPathname otherMailbox internetEncoding ou kMServer pOPCharacterSet language pOPContentFormat languageCode protocolSettings legacyExchangeDN proxyAddresses mail publicDelegatesBL mailNickname replicatedObjectVersion manager replicationSensitivity mAPIRecipient replicationSignature mDBOverHardQuotaLimit reportToOriginator mDBOverQuotaLimit reportToOwner mDBStorageQuota securityProtocol mDBUseDefaults servicePrincipalName msDS-AllowedToDelegateTo showInAddressBook msDS-Approx-Immed-Subordinates sn msDS-Auxiliary-Classes submissionContLength msExchADCGlobalNames supportedAlgorithms msExchALObjectVersion systemFlags msExchAssistantName targetAddress msExchConferenceMailboxBL telephoneAssistant msExchControllingZone textEncodedORAddress msExchCustomProxyAddresses title msExchExpansionServerName unauthOrig msExchFBURL unauthOrigBL msExchHideFromAddressLists unmergedAtts msExchHomeServerName userPrincipalName msExchIMACL Personal Information property set assistant physicalDeliveryOfficeName c postalAddress facsimileTelephoneNumber postalCode homePhone postOfficeBox homePostalAddress preferredDeliveryMethod info primaryInternationalISDNNumber internationalISDNNumber primaryTelexNumber ipPhone publicDelegates l registeredAddress mobile st mSMQDigests street mSMQSignCertificates streetAddress otherFacsimileTelephoneNumber telephoneNumber otherHomePhone teletexTerminalIdentifier otherIpPhone telexNumber otherMobile thumbnailPhoto otherPager userCert otherTelephone userCertificate pager userSharedFolder personalTitle userSharedFolderOther X121Address However, when it came to delegation of permissions for management of mail recipients, many Active Directory administrators did not assign permissions to Exchange administrators using these property sets since they provided access to many additional non-Exchange related attributes. Property Set Usage in Exchange Server 2007 Exchange 2007 takes advantage of property sets by creating two new property sets exclusively for Exchange, rather than relying on pre-existing Active Directory property sets. This addresses several issues that existed with previous versions of Exchange: There is no longer a reliance on default Active Directory property sets, which addresses the uncertainty of those property sets as they could change in future release cycles of Windows Server Active Directory. Ensures that only attributes created by the Exchange schema extension are members of the Exchange specific property sets. Allows for the creation and deployment of a delegated security permission model with regards to management of Exchange mail recipient data. During the schema extension phase, Exchange 2007 performs several actions: Extends the schema with new classes and attributes. Creates the property sets, Exchange Information and Exchange Personal Information. Adds the appropriate attributes to the Exchange Information and Exchange Personal Information property sets. Exchange 2003 attributes that had been previously added to the Personal Information or Public Information property sets will be moved accordingly to the Exchange specific property sets. As a result of moving attributes between property sets, the Exchange 2003 recipient permission structure requires updating when implementing Exchange 2007 in a legacy environment. This is accomplished either via executing /PrepareLegacyExchangePermissions or /PrepareSchema. For more information on what /PrepareLegacyExchangePermissions actually does, please see http://www.microsoft.com/technet/prodtechnol/exchange/E2k7Help/4c32f70c-d42b-4bf4-995e-65b68a947194.mspx. The Exchange Information property set includes the attributes listed in the following table. In addition, Authenticated Users have read access to this property set. This allows authenticated users to look up certain pieces of information about mail recipients (e.g. via the Address Book). Exchange Information property set altRecipient altRecipientBL attributeCertificate authOrig authOrigBL autoReply autoReplyMessage deletedItemFlags delivContLength deliverAndRedirect deliveryMechanism delivExtContTypes dLMemberRule dLMemDefault dLMemRejectPerms dLMemRejectPermsBL dLMemSubmitPerms dLMemSubmitPermsBL dnQualifier enabledProtocols expirationTime extensionAttribute1 extensionAttribute10 extensionAttribute11 extensionAttribute12 extensionAttribute13 extensionAttribute14 extensionAttribute15 extensionAttribute2 extensionAttribute3 extensionAttribute4 extensionAttribute5 extensionAttribute6 extensionAttribute7 extensionAttribute8 extensionAttribute9 extensionData folderPathname formData forwardingAddress heuristics hideDLMembership homeMDB homeMTA importedFrom internetEncoding kMServer language languageCode mailNickname mAPIRecipient mDBOverHardQuotaLimit mDBOverQuotaLimit altRecipient altRecipientBL attributeCertificate authOrig authOrigBL autoReply autoReplyMessage deletedItemFlags delivContLength deliverAndRedirect deliveryMechanism delivExtContTypes dLMemberRule dLMemDefault dLMemRejectPerms dLMemRejectPermsBL dLMemSubmitPerms dLMemSubmitPermsBL dnQualifier enabledProtocols expirationTime extensionAttribute1 extensionAttribute10 extensionAttribute11 extensionAttribute12 extensionAttribute13 extensionAttribute14 extensionAttribute15 extensionAttribute2 extensionAttribute3 extensionAttribute4 extensionAttribute5 extensionAttribute6 extensionAttribute7 extensionAttribute8 extensionAttribute9 extensionData folderPathname formData forwardingAddress heuristics hideDLMembership homeMDB homeMTA importedFrom internetEncoding kMServer language languageCode mailNickname mAPIRecipient mDBOverHardQuotaLimit mDBOverQuotaLimit altRecipient altRecipientBL attributeCertificate authOrig authOrigBL autoReply autoReplyMessage deletedItemFlags delivContLength deliverAndRedirect deliveryMechanism delivExtContTypes dLMemberRule dLMemDefault dLMemRejectPerms dLMemRejectPermsBL dLMemSubmitPerms dLMemSubmitPermsBL dnQualifier enabledProtocols expirationTime extensionAttribute1 extensionAttribute10 extensionAttribute11 extensionAttribute12 extensionAttribute13 extensionAttribute14 extensionAttribute15 extensionAttribute2 extensionAttribute3 extensionAttribute4 extensionAttribute5 extensionAttribute6 extensionAttribute7 extensionAttribute8 extensionAttribute9 extensionData folderPathname formData forwardingAddress heuristics hideDLMembership homeMDB homeMTA importedFrom internetEncoding kMServer language languageCode mailNickname mAPIRecipient mDBOverHardQuotaLimit mDBOverQuotaLimit The Exchange Personal Information property set includes the attributes listed in the following table. These attributes are sensitive in nature, so to ensure that normal users cannot look retrieve the data stored within these attributes, they are placed into a separate property set where Authenticated Users are not assigned read access. Exchange Personal Information property set msExchMessageHygieneFlags msExchMessageHygieneSCLDeleteThreshold msExchMessageHygieneSCLQuarantineThreshold msExchMessageHygieneSCLRejectThreshold msExchSafeRecipientsHash msExchSafeSendersHash msExchUMPinChecksum - Ross Smith IVOffice 365 Message Attribution
When a message arrives at Office 365, one of the first things we need to do is figure out which organization it belongs to. At first, this sounds simple – just look at the recipient, right? Well, it is more complicated than that, because of Hybrid and complex routing scenarios.
