Using AD Property Sets

Q: What are Active Directory (AD) property sets? What can you use them for? How can I easily view the AD object properties that are part of a property set?

A: AD property sets are groupings of object properties (or attributes). A good example of a property set is "Personal Information," which contains a total of 41 attributes, including a user's address and telephone attributes. Table 1 summarizes all default AD property sets that are predefined in the schema of the Windows 2000 Server and Windows Server 2003 and R2 AD.

Microsoft implemented AD property sets to allow more efficient access control management for multiple object attributes (or properties) in the directory. The grouping of many properties into a property set allows administrators to use one access control entry (ACE) to grant or deny permissions on an AD object for the complete collection of properties at once. Without property sets, administrators would need to apply many separate ACEs for each individual property that's part of a property set collection.

Microsoft introduced property sets not only to simplify administration but also to preserve storage space in AD. The positive effect property sets have on AD storage space should not be underestimated because every ACE applied to an object needs to be stored in the directory and a permission that is given to a property set is not only displayed but also stored as a single ACE.

An AD attribute is defined to belong to a property set by its attributeSecurityGUID attribute, which matches the rightsGUID attribute of the property set. Any attribute in AD can belong to only a single property set, which is an important restriction for organizations that want to customize AD security by modifying the built-in default properties sets or defining brand new property sets.

Although the majority of the property sets are the same between Win2K and Windows 2003, an important feature related to the default property sets was missing from Win2K and has been made available in Windows 2003: in Windows 2003, the default property sets can be edited. To do so you can use classic AD editing tools such as ADSI Edit or LDP. A handy tool you can use to view the AD property sets is the ADSchemaAnalyzer. This tool is not included on a standard Win2K or Windows 2003 AD server but is automatically installed when you install AD Application Mode (ADAM) SP1 or the ADAM version that's part of Windows 2003 R2.

As a special feature, ADSchemaAnalyzer also lets you view permission property sets, the classes where the property sets can be applied, and the attributes that belong to the property set. Figure 1shows using ADSchemaAnalyzer to view the attributes that are linked to the built-in Personal Information property set underneath the Dependents container.

ADSchemaAnalyzer can obviously also be used to connect to your production AD to simply browse and view its classes and attributes. The tool can also be useful to compare and populate an ADAM instance with the same schema as you have in a production AD. Table 1: List of default property sets in AD