3.1.1.2.3.3 Property Set

A property set consists of a set of related attributes. An attribute whose attributeSchema object has a value for the attributeSecurityGUID attribute belongs to that property set; the property set is identified by the property set GUID, which is the attributeSecurityGUID value.

A property set GUID can be used instead of the schemaIDGUID of an attribute when defining a security descriptor, as specified in section 5.1.3.2, to grant or deny access to all attributes in one access control entry (ACE).

The following table lists the property sets present in the default AD DS schema.

Name

Property set GUID

Domain Password &

Lockout Policies

C7407360-20BF-11D0-A768-00AA006E0529

General Information

59BA2F42-79A2-11D0-9020-00C04FC2D3CF

Account Restrictions

4C164200-20C0-11D0-A768-00AA006E0529

Logon Information

5F202010-79A5-11D0-9020-00C04FC2D4CF

Group Membership

BC0AC240-79A9-11D0-9020-00C04FC2D4CF

Phone and Mail Options

E45795B2-9455-11D1-AEBD-0000F80367C1

Personal Information

77B5B886-944A-11D1-AEBD-0000F80367C1

Web Information

E45795B3-9455-11D1-AEBD-0000F80367C1

Public Information

E48D0154-BCF8-11D1-8702-00C04FB96050

Remote Access Information

037088F8-0AE1-11D2-B422-00A0C968F939

Other Domain Parameters

(for use by SAM)

B8119FD0-04F6-4762-AB7A-4986C76B3F9A

DNS Host Name Attributes

72E39547-7B18-11D1-ADEF-00C04FD8D5CD

MS-TS-GatewayAccess (*)

FFA6F046-CA4B-4FEB-B40D-04DFEE722543

Private Information (*)

91E647DE-D96F-4B70-9557-D63FF4F3CCD8

Terminal Server License Server (*)

5805BC62-BDC9-4428-A5E2-856A0F4C185E

(*) The last three property sets are present only in Windows Server 2008 operating system and later AD DS forests.

To determine the set of attributes that belong to a property set, search for the corresponding property-set GUID in [MS-ADA1], [MS-ADA2], and [MS-ADA3] for AD DS, or in [MS-ADLS] for AD LDS. All attributeSchema classes that have their attributeSecurityGUID set as the property-set GUID belong to that property set.

New property sets can be created by adding controlAccessRight objects to the Extended-Rights container as described in section 5.1.3.2.1. The rightsGuid attribute of the controlAccessRight object is the property set GUID. This GUID MUST NOT be the NULL GUID.

AD LDS installs a reduced schema by default. The default AD LDS schema only includes the following property sets:

  • General Information

  • Account Restrictions

  • Logon Information

  • Group Membership

  • Phone and Mail Options

  • Personal Information

  • Web Information

  • Public Information