How to determine attributes contained with "Public Information" and "Personal Information" in Exchange (924193)


The information in this article applies to:

  • Microsoft Exchange Server 2003 Enterprise Edition
  • Microsoft Exchange Server 2003 Standard Edition
Source: Microsoft Support

RAPID PUBLISHING

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION IN RESPONSE TO EMERGING OR UNIQUE TOPICS, AND MAY BE UPDATED AS NEW INFORMATION BECOMES AVAILABLE.

SUMMARY

This document discusses how to find the attributes contained within "Personal Information" and "Public Information" and also documents a list of attributes contained within them in Exchange 2003 RTM.

MORE INFORMATION

When you use the "Security" tab of any Active Directory snap-in to modify permissions of AD objects, the "Advanced" tab will give you the option to grant account permissions in a more granular fashion. You want granularity typically when you want to assign administrative rights to users on OU's. However, a few permissions are not very granular because they contain subsets of additional attributes that cannot be expanded through the user interface. These ungranular permissions are called
"Read Personal Information"
"Write Personal Information"
"Write Public Information"
"Read Public Information"

There is no intuitive method to determine the groups of attributes contained within "Personal Information" and "Public Information" and so security teams at many companies will avoid these options.

The MSDN documentation for personal and public information does not contain a complete list of attributes since each customer environment is different, and schemas change over time and with more applications are installed that add to the schema. The MSDN links for a basic Windows forest are listed here, but grow even more incomplete as the product evolves:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/r_personal_information.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/r_public_information.asp

Note that if Exchange 2003's schema is in the forest, you might have a different subset of attributes than in Exchange 2000.

  1. On any domain controller, open a command prompt, and type LDIFDE.exe -f schema.ldf -d "cn=schema,cn=configuration,dc=firstdomaininforest,dc=com"
  2. Open-up schema.ldf in notepad. Note that you cannot simply search for the text string "public information" or "personal information"
  3. We will be searching for GUIDs based on "personal information" and "public information". The guid for "personal information" is 77b5b886-944a-11d1-aebd-0000f80367c1 and the GUID for "public information" is e48d0154-bcf8-11d1-8702-00c04fb96050. The guids are documented in the MSDN articles above.

    Each of the attributes contained within "personal information" and "public information" are described in the cn=aggregate,cn=schema object. However, because the LDF file is wrapped, the GUIDs are often truncated. Thus, searching for the last 12 bytes of any GUID will not find all attributes. Therefore, we must execute 2 searches for public information, and 2 searches for personal information.
  4. We will start-off by searching on attributes contained within public information. Search first for 00c04fb96050 (which is the last 12 bytes of e48d0154-bcf8-11d1-8702-00c04fb96050)

    Note that you will find the following chunk of data: 
     ( 1.2.840.113556.1.4.7000.102.80 NAME 'msExchMailboxSecurityDescriptor' RANGE-
 LOWER '0' RANGE-UPPER '65535' PROPERTY-GUID '26E94D939EB0D211AA0600C04F8EEDD8'
  PROPERTY-SET-GUID '54018DE4F8BCD111870200C04FB96050' )
    Thus, msExchMailboxSecurityDescriptor is contained within "public information." Repeat this step until you've recorded all of the attributes you found.
  5. However, we must search again because we will have missed a few attributes from our previous search, due to the word-wrapping format of the LDF file. This time, we will search using 54018DE4 as the search string. (54018DE4 is the first 8 bytes of e48d0154-bcf8-11d1-8702-00c04fb96050. The bytes are swapped due to how the first 8 bytes in GUIDs are usually documented in little-endian format). Our second search finds many repeated properties, but note how it also found the following attribute, which wasn't located from our first search based on string 00c04fb96050. 
     ( 1.2.840.113556.1.6.20.1.124 NAME 'msExchOmaAdminWirelessEnable' PROPERTY-GUI
 D 'BEBFA7C16B1137478CD9D29EF5B3690E' PROPERTY-SET-GUID '54018DE4F8BCD111870200
 C04FB96050' )
    Thus, you should add msExchOmaAdminWirelessEnable to the list you compiled in Step 4. Repeat your "Find" operation, and record additional attributes found that weren't found in step 4.
  6. The same concepts can be applied to "personal information" and searching on its guids.

Here is a list I've compiled from a Windows 2000 forest with Exchange 2003's schema extensions:
Public information:
'msExchccMailImportExportVersion' 
'allowedChildClassesEffective' 
'msExchExpansionServerName' 
'msExchResourceProperties' 
'msExchMailboxSecurityDescriptor' 
'msExchIMAPOWAURLPrefixOverride' 
'msExchOmaAdminExtendedSettings' 
'msExchOmaAdminWirelessEnable' 
'allowedChildClassesEffective' 
'msExchCustomProxyAddresses' 
'msExchHideFromAddressLists' 
'allowedAttributesEffective' 
'msExchRequireAuthToSendTo' 
'msExchConferenceMailboxBL' 
'msExchUserAccountControl' 
'msExchPreviousAccountSid' 
'msExchInconsistentState' 
'msExchOriginatingForest' 
'msExchIMMetaPhysicalURL' 
'msExchProxyCustomProxy' 
'replicatedObjectVersion' 
'msExchPolicyOptionList' 
'replicationSensitivity' 
'msExchMasterAccountSid' 
'msExchMailboxFolderSet' 
'msExchPoliciesExcluded' 
'msExchPoliciesIncluded' 
'msExchIMVirtualServer' 
'msExchControllingZone' 
'altSecurityIdentities' 
'mDBOverHardQuotaLimit' 
'msExchALObjectVersion' 
'textEncodedORAddress' 
'servicePrincipalName' 
'msExchVoiceMailboxID' 
'msExchUnmergedAttsPt' 
'oOFReplyToOriginator' 
'submissionContLength' 
'replicationSignature' 
'msExchHomeServerName' 
'displayNamePrintable' 
'attributeCertificate' 
'msExchADCGlobalNames' 
'supportedAlgorithms' 
'extensionAttribute1'
'extensionAttribute2'
'extensionAttribute3'
'extensionAttribute4'
'extensionAttribute5'
'extensionAttribute6'
'extensionAttribute7'
'extensionAttribute9'
'extensionAttribute10'
'extensionAttribute11'
'extensionAttribute12'
'extensionAttribute13'
'extensionAttribute14'
'extensionAttribute15'
'msExchIMPhysicalURL'
'msExchAssistantName' 
'msExchPolicyEnabled'  
'allowedChildClasses' 
'reportToOriginator' 
'telephoneAssistant' 
'msExchResourceGUID' 
'dLMemSubmitPermsBL' 
'dLMemRejectPermsBL' 
'deliverAndRedirect' 
'userPrincipalName' 
'showInAddressBook' 
'msExchTUIPassword' 
'delivExtContTypes' 
'distinguishedName' 
'mDBOverQuotaLimit' 
'allowedAttributes' 
'msExchQueryBaseDN' 
'msExchMailboxGuid' 
'forwardingAddress' 
'deliveryMechanism' 
'publicDelegatesBL' 
'securityProtocol' 
'protocolSettings' 
'msExchRecipLimit' 
'pOPContentFormat' 
'msExchPFTreeType' 
'msExchMailboxUrl' 
'dLMemSubmitPerms' 
'autoReplyMessage' 
'internetEncoding' 
'enabledProtocols' 
'dLMemRejectPerms' 
'msExchLabeledURI' 
'hideDLMembership' 
'deletedItemFlags' 
'legacyExchangeDN' 
'msExchPfRootUrl' 
'msExchTUIVolume' 
'pOPCharacterSet' 
'mDBStorageQuota' 
'delivContLength' 
'msExchIMAddress' 
'proxyAddresses' 
'objectCategory' 
'msExchTUISpeed' 
'expirationTime' 
'mDBUseDefaults' 
'altRecipientBL' 
'folderPathname' 
'directReports' 
'reportToOwner' 
'extensionData' 
'importedFrom' 
'targetAddress' 
'mAPIRecipient' 
'unmergedAtts' 
'unauthOrigBL' 
'otherMailbox' 
'msExchUseOAB' 
'altRecipient' 
'dLMemDefault' 
'dLMemberRule' 
'languageCode' 
'mailNickname' 
'dnQualifier' 
'systemFlags' 
'msExchFBURL' 
'description' 
'objectClass' 
'msExchIMACL' 
'unauthOrig' 
'heuristics' 
'authOrigBL' 
'department' 
'objectGUID' 
'autoReply' 
'givenName' 
'kMServer' 
'division' 
'authOrig' 
'initials' 
'formData' 
'language' 
'company' 
'homeMTA' 
'homeMDB' 
'manager' 
'notes' 
'title' 
'mail' 
'name' 
'ou' 
'sn' 
'co' 
'cn' 
'o' 

Personal Information:
'primaryInternationalISDNNumber' 
'otherFacsimileTelephoneNumber' 
'physicalDeliveryOfficeName' 
'teletexTerminalIdentifier' 
'facsimileTelephoneNumber' 
'internationalISDNNumber' 
'preferredDeliveryMethod' 
'primaryTelexNumber' 
'userSharedFolderOther' 
'userSMIMECertificate' 
'mSMQSignCertificates' 
'registeredAddress' 
'userSharedFolder' 
'userCertificate' 
'homePostalAddress' 
'telephoneNumber' 
'publicDelegates' 
'otherTelephone' 
'thumbnailPhoto' 
'otherHomePhone' 
'postOfficeBox' 
'personalTitle' 
'streetAddress' 
'postalAddress' 
'otherIpPhone' 
'telexNumber' 
'mSMQDigests' 
'otherMobile' 
'postalCode' 
'otherPager' 
'x121Address' 
'assistant' 
'homePhone' 
'userCert' 
'ipPhone' 
'street' 
'mobile' 
'pager' 
'info' 
'st' 
'l' 
'c'

DISCLAIMER

MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE FOR ANY PURPOSE. THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED HEREIN AT ANY TIME.

For more information on the terms of use, click on the link below:
http://support.microsoft.com/tou/
Modification Type:MinorLast Reviewed:10/6/2006
Keywords:kbhowto kbrapidpub KB924193 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.