Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. How to determine attributes contained with "Public Information" and "Personal Information" in Exchange

How to determine attributes contained with "Public Information" and "Personal Information" in Exchange

View products that this article applies to.

Summary

Source: Microsoft Support

RAPID PUBLISHING

RAPID PUBLISHING ARTICLES PROVIDE INFORMATION IN RESPONSE TO EMERGING OR UNIQUE TOPICS, AND MAY BE UPDATED AS NEW INFORMATION BECOMES AVAILABLE.

↑ Back to the top

More information

This document discusses how to find the attributes contained within "Personal Information" and "Public Information" and also documents a list of attributes contained within them in Exchange 2003 RTM.

↑ Back to the top

Disclaimer

When you use the "Security" tab of any Active Directory snap-in to modify permissions of AD objects, the "Advanced" tab will give you the option to grant account permissions in a more granular fashion. You want granularity typically when you want to assign administrative rights to users on OU's. However, a few permissions are not very granular because they contain subsets of additional attributes that cannot be expanded through the user interface. These ungranular permissions are called
"Read Personal Information"
"Write Personal Information"
"Write Public Information"
"Read Public Information"

There is no intuitive method to determine the groups of attributes contained within "Personal Information" and "Public Information" and so security teams at many companies will avoid these options.

The MSDN documentation for personal and public information does not contain a complete list of attributes since each customer environment is different, and schemas change over time and with more applications are installed that add to the schema. The MSDN links for a basic Windows forest are listed here, but grow even more incomplete as the product evolves:
http://msdn2.microsoft.com/en-us/library/ms684394.aspx
http://msdn2.microsoft.com/en-us/library/ms684396.aspx

Note that if Exchange 2003's schema is in the forest, you might have a different subset of attributes than in Exchange 2000.

  1. On any domain controller, open a command prompt, and type LDIFDE.exe -f schema.ldf -d "cn=schema,cn=configuration,dc=firstdomaininforest,dc=com"
  2. Open-up schema.ldf in notepad. Note that you cannot simply search for the text string "public information" or "personal information"
  3. We will be searching for GUIDs based on "personal information" and "public information". The guid for "personal information" is 77b5b886-944a-11d1-aebd-0000f80367c1 and the GUID for "public information" is e48d0154-bcf8-11d1-8702-00c04fb96050. The guids are documented in the MSDN articles above.

    Each of the attributes contained within "personal information" and "public information" are described in the cn=aggregate,cn=schema object. However, because the LDF file is wrapped, the GUIDs are often truncated. Thus, searching for the last 12 bytes of any GUID will not find all attributes. Therefore, we must execute 2 searches for public information, and 2 searches for personal information.
  4. We will start-off by searching on attributes contained within public information. Search first for 00c04fb96050 (which is the last 12 bytes of e48d0154-bcf8-11d1-8702-00c04fb96050)

    Note that you will find the following chunk of data: 
     ( 1.2.840.113556.1.4.7000.102.80 NAME 'msExchMailboxSecurityDescriptor' RANGE-
 LOWER '0' RANGE-UPPER '65535' PROPERTY-GUID '26E94D939EB0D211AA0600C04F8EEDD8'
  PROPERTY-SET-GUID '54018DE4F8BCD111870200C04FB96050' )
    Thus, msExchMailboxSecurityDescriptor is contained within "public information." Repeat this step until you've recorded all of the attributes you found.
  5. However, we must search again because we will have missed a few attributes from our previous search, due to the word-wrapping format of the LDF file. This time, we will search using 54018DE4 as the search string. (54018DE4 is the first 8 bytes of e48d0154-bcf8-11d1-8702-00c04fb96050. The bytes are swapped due to how the first 8 bytes in GUIDs are usually documented in little-endian format). Our second search finds many repeated properties, but note how it also found the following attribute, which wasn't located from our first search based on string 00c04fb96050. 
     ( 1.2.840.113556.1.6.20.1.124 NAME 'msExchOmaAdminWirelessEnable' PROPERTY-GUI
 D 'BEBFA7C16B1137478CD9D29EF5B3690E' PROPERTY-SET-GUID '54018DE4F8BCD111870200
 C04FB96050' )
    Thus, you should add msExchOmaAdminWirelessEnable to the list you compiled in Step 4. Repeat your "Find" operation, and record additional attributes found that weren't found in step 4.
  6. The same concepts can be applied to "personal information" and searching on its guids.

Here is a list I've compiled from a Windows 2000 forest with Exchange 2003's schema extensions:
Public information:
'msExchccMailImportExportVersion' 
'allowedChildClassesEffective' 
'msExchExpansionServerName' 
'msExchResourceProperties' 
'msExchMailboxSecurityDescriptor' 
'msExchIMAPOWAURLPrefixOverride' 
'msExchOmaAdminExtendedSettings' 
'msExchOmaAdminWirelessEnable' 
'allowedChildClassesEffective' 
'msExchCustomProxyAddresses' 
'msExchHideFromAddressLists' 
'allowedAttributesEffective' 
'msExchRequireAuthToSendTo' 
'msExchConferenceMailboxBL' 
'msExchUserAccountControl' 
'msExchPreviousAccountSid' 
'msExchInconsistentState' 
'msExchOriginatingForest' 
'msExchIMMetaPhysicalURL' 
'msExchProxyCustomProxy' 
'replicatedObjectVersion' 
'msExchPolicyOptionList' 
'replicationSensitivity' 
'msExchMasterAccountSid' 
'msExchMailboxFolderSet' 
'msExchPoliciesExcluded' 
'msExchPoliciesIncluded' 
'msExchIMVirtualServer' 
'msExchControllingZone' 
'altSecurityIdentities' 
'mDBOverHardQuotaLimit' 
'msExchALObjectVersion' 
'textEncodedORAddress' 
'servicePrincipalName' 
'msExchVoiceMailboxID' 
'msExchUnmergedAttsPt' 
'oOFReplyToOriginator' 
'submissionContLength' 
'replicationSignature' 
'msExchHomeServerName' 
'displayNamePrintable' 
'attributeCertificate' 
'msExchADCGlobalNames' 
'supportedAlgorithms' 
'extensionAttribute1'
'extensionAttribute2'
'extensionAttribute3'
'extensionAttribute4'
'extensionAttribute5'
'extensionAttribute6'
'extensionAttribute7'
'extensionAttribute9'
'extensionAttribute10'
'extensionAttribute11'
'extensionAttribute12'
'extensionAttribute13'
'extensionAttribute14'
'extensionAttribute15'
'msExchIMPhysicalURL'
'msExchAssistantName' 
'msExchPolicyEnabled'  
'allowedChildClasses' 
'reportToOriginator' 
'telephoneAssistant' 
'msExchResourceGUID' 
'dLMemSubmitPermsBL' 
'dLMemRejectPermsBL' 
'deliverAndRedirect' 
'userPrincipalName' 
'showInAddressBook' 
'msExchTUIPassword' 
'delivExtContTypes' 
'distinguishedName' 
'mDBOverQuotaLimit' 
'allowedAttributes' 
'msExchQueryBaseDN' 
'msExchMailboxGuid' 
'forwardingAddress' 
'deliveryMechanism' 
'publicDelegatesBL' 
'securityProtocol' 
'protocolSettings' 
'msExchRecipLimit' 
'pOPContentFormat' 
'msExchPFTreeType' 
'msExchMailboxUrl' 
'dLMemSubmitPerms' 
'autoReplyMessage' 
'internetEncoding' 
'enabledProtocols' 
'dLMemRejectPerms' 
'msExchLabeledURI' 
'hideDLMembership' 
'deletedItemFlags' 
'legacyExchangeDN' 
'msExchPfRootUrl' 
'msExchTUIVolume' 
'pOPCharacterSet' 
'mDBStorageQuota' 
'delivContLength' 
'msExchIMAddress' 
'proxyAddresses' 
'objectCategory' 
'msExchTUISpeed' 
'expirationTime' 
'mDBUseDefaults' 
'altRecipientBL' 
'folderPathname' 
'directReports' 
'reportToOwner' 
'extensionData' 
'importedFrom' 
'targetAddress' 
'mAPIRecipient' 
'unmergedAtts' 
'unauthOrigBL' 
'otherMailbox' 
'msExchUseOAB' 
'altRecipient' 
'dLMemDefault' 
'dLMemberRule' 
'languageCode' 
'mailNickname' 
'dnQualifier' 
'systemFlags' 
'msExchFBURL' 
'description' 
'objectClass' 
'msExchIMACL' 
'unauthOrig' 
'heuristics' 
'authOrigBL' 
'department' 
'objectGUID' 
'autoReply' 
'givenName' 
'kMServer' 
'division' 
'authOrig' 
'initials' 
'formData' 
'language' 
'company' 
'homeMTA' 
'homeMDB' 
'manager' 
'notes' 
'title' 
'mail' 
'name' 
'ou' 
'sn' 
'co' 
'cn' 
'o' 

Personal Information:
'primaryInternationalISDNNumber' 
'otherFacsimileTelephoneNumber' 
'physicalDeliveryOfficeName' 
'teletexTerminalIdentifier' 
'facsimileTelephoneNumber' 
'internationalISDNNumber' 
'preferredDeliveryMethod' 
'primaryTelexNumber' 
'userSharedFolderOther' 
'userSMIMECertificate' 
'mSMQSignCertificates' 
'registeredAddress' 
'userSharedFolder' 
'userCertificate' 
'homePostalAddress' 
'telephoneNumber' 
'publicDelegates' 
'otherTelephone' 
'thumbnailPhoto' 
'otherHomePhone' 
'postOfficeBox' 
'personalTitle' 
'streetAddress' 
'postalAddress' 
'otherIpPhone' 
'telexNumber' 
'mSMQDigests' 
'otherMobile' 
'postalCode' 
'otherPager' 
'x121Address' 
'assistant' 
'homePhone' 
'userCert' 
'ipPhone' 
'street' 
'mobile' 
'pager' 
'info' 
'st' 
'l' 
'c'

↑ Back to the top

Keywords: KB924193, kbrapidpub, kbhowto

↑ Back to the top

Article Info
Article ID : 924193
Revision : 7
Created on : 11/27/2007
Published on : 11/27/2007
Exists online : False
Views : 235