Group Service Data Mapping

Last updated: January 30, 2023
Audience: IT Staff / Technical

This document is intended for IT Professionals seeking to understand how data in the Group Service is mapped to Active Directory (the NETID domain).

Standard groups

GS NETID domain (AD)
dn: serialNumber=<regid>,ou=groups,dc=washington,dc=edu

where <regid> is the UW RegID.

dn: cn=<blah>,OU=Standard,OU=GDS,OU=Groups,DC=netid,DC=washington,DC=edu

where <blah> is described below under cn.

objectClass: uwDepartmentGroup objectclass: top; uwEntity; group;
serialNumber: <regid> No complement. AD uses SID for uniqueness, and since the serialNumber has no value to users, serialNumber was dropped.
uwRegID: <regid> uwRegID: <regid>
uwPriorRegID: <regid> uwPriorRegID: <regid>
groupId: <group name> cn: <group name>
displayName : <group name>
samAccountName: <group name>where <group name> is the first value of the multi-valued GS cn at the time of creation of the AD group. If the GS cn is single-valued, then the AD cn is updated, otherwise, the AD cn is never updated.
description: <group description> description: <group description>
owner: uwNetID=<uwnetid> managedBy: <Active Directory DN of <uwnetid>>

where <uwnetid> is searched in AD and the DN of that object is the value of the managedBy attribute. If there is no such object, then this value isn’t populated. See uwContactPerson for important related content.

member: uwNetID=<uwnetid> member: <Active Directory DN of <uwnetid>>

where uwnetid is searched in AD and the DN of that object is the value of the member attribute. If there is no such object, then this value isn’t populated.

memberGroup: cn=<group cn> member: <Active Directory DN of <group cn>>

where <group cn> is searched in AD and the DN of that object is the value of the member attribute. If there is no such object, then this value isn’t populated.

uwContactPerson: uwNetid=<uwnetid> OR cn=<group cn> managedBy: <Active Directory DN of <uwnetid> or <group cn>>

where <uwnetid> or <group cn> is searched in AD and the DN of that object is the value of the managedBy attribute. If there is no such object, then this value isn’t populated. If the GS owner attribute is also set, then the uwContactPerson value overrides the GS owner info.

uwEmailEnabled: uwexchange oOFReplyToOriginator: TRUE
reportToOwner: TRUE
msExchRequireAuthToSendTo: TRUE
delivContLength: 61440
msExchRecipientDisplayType: 1073741833
mailNickname: <cn>
msExchVersion: <existing Exchange version>
msExchPoliciesIncluded: {B6B1B695-99F7-4455-B5B4-1231DD06C415},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}
internetEncoding: 0
legacyExchangeDN: /o=University of Washington/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=<cn>
extensionAttribute3: <blah>where <existing Exchange version> is the value of msExchVersion on LDAP://CN=Address Lists Container,CN=University of Washington,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=netid,DC=washington,DC=edu
AND
where <cn> is the GS cn–not the AD cn.
AND
where <blah> is 1 if the attribute isn’t already present with a value, otherwise is not set.uwEmailEnabled: uwexchange also controls whether the following GS attributes are mapped to AD or ignored: uwPublishedEmail, uwAuthOrig, uwReportToOriginator. If (!(uwEmailEnabled=uwexchange)), then those 3 GS attributes are ignored, and some set of the above noted attributes may be cleared if they were previously populated.
uwPublishedEmail: <email> mail: <email>
proxyAddresses: SMTP:<email>
proxyAddresses: smtp:<cn>@exchange.washington.eduwhere <cn> is the GDS cn value
AND
where <email> must be RFC compliant and a unique value across all Exchange recipients.If <email> is not RFC compliant and unique, then <email> is ignored, and instead the following is set:mail: <cn>@exchange.washington.edu
proxyAddresses: SMTP:<cn>@exchange.washington.edu
uwAuthOrig: uwNetid=<uwnetid> AND/OR cn=<group cn> OR dc=none authOrig: <Active Directory DN of <uwnetid>
dlMemSubmitPerms: <Active Directory DN of <group cn>>where <uwnetid> or <group cn> is searched in AD and the DN of that object is the value used.  User DNs go on the AD authOrig attribute; group DNs go on the AD dlMemSubmitPerms attribute.If (uwAuthOrig=dc=none), then neither of the above applies, and instead the following is set:authOrig: CN=a_none,OU=Application NetIDs,OU=Other NetIDs,DC=netid,DC=washington,DC=eduthis means that only the a_none account can send email to that Exchange distribution group, and by design the a_none UW NetID is not used by anyone.
uwReportToOwner: <bit>

where <bit> is {0,1}

reportToOwner: <boolean conversion of <bit>>
reportToOriginator: <NOT boolean conversion of <bit>>So for reportToOwner : 1->TRUE, 0->FALSE. The opposite holds for reportToOriginator.
displayName: <string> displayName: <string> <this will stop on 4/26/2017>
description: <string> <coming 4/26/2017>description value only written if there is not a GS.description value
uwReadAccess: uwNetid=<uwnetid> AND/OR cn=<group cn> OR dc=none

Those values are hereafter collectively referred to as “targetValues”

uwReadAccess: <Active Directory DN of <uwnetid> or <Active Directory DN of <group cn>> or <Active Directory DN of <the a_none uwnetid>
ntSecurityDescriptor: Allow targetValues Read All Propertieswhere <uwnetid> or <group cn> is searched in UWWI and the DN of that object is the value used.If (uwReadAccess=dc=none), then the DN is:
CN=a_none,OU=Application NetIDs,OU=Other NetIDs,DC=netid,DC=washington,DC=eduthis means that only the a_none account has access, and by design the a_none UW NetID is not used by anyone.
uwViewAccess: uwNetid=<uwnetid> AND/OR cn=<group cn> OR dc=none

Those values are hereafter collectively referred to as “targetValues”

uwViewAccess<Active Directory DN of <uwnetid> or <Active Directory DN of <group cn>> or <Active Directory DN of <the a_none uwnetid>
ntSecurityDescriptor: Allow targetValues Read All Properties
ntSecurityDescriptor: Deny targetValues Read Memberswhere <uwnetid> or <group cn> is searched in UWWI and the DN of that object is the value used.If (uwViewAccess=dc=none), then the DN is:
CN=a_none,OU=Application NetIDs,OU=Other NetIDs,DC=netid,DC=washington,DC=eduthis means that only the a_none account has access, and by design the a_none UW NetID is not used by anyone.Note that ntSecurityDescriptor is the access control list (ACL) for the directory object, and that both ntSecurityDescriptor values noted above are applied for each target value.In the case where a single target is in both the uwReadAccess and uwViewAccess, then no ntSecurityDescriptor is applied for the uwViewAccess as it would inhibit access which is undesired behavior.
gidNumber: <integer> gidNumber: <integer>
uwTest: <string>

where <string> is {0,1}

uwTest: <string>

Course groups

GS NETID domain
dn: serialNumber=<regid>,ou=<QQQYYYY>,ou=Courses,dc=washington,dc=edu dn: cn=<blah>,OU=Course,OU=GDS,OU=Groups,DC=netid,DC=washington,DC=edu

where <blah> is the cn.

groupId cn:
samAccountName:
displayName: <coming 4/26/2017>
objectClass: uwCourseOffering; uwEntity; objectClass: top; uwCourseOffering; uwEntity; group;
serialNumber: <regid> No complement. AD uses SID for uniqueness, and since the serialNumber has no value to users, serialNumber was dropped.
uwRegID: <regid> uwRegID: <regid>
year: <year>

where <Year> is the applicable 4 digit year, e.g. “2007”.

uwYear: <year>
quarter: <Quarter>

where <Quarter> is {“WIN”, “SPR”, “SUM”, “AUT”}

uwQuarter: <quarter>
curric: <Curriculum Code>

e.g. “CSE”

uwCurric: <curric code>
crsNo: <Course Number>

e.g. “142”

uwCrsNo: <course number>
sln: <Course Section Schedule Line Number>

e.g. “11973”

uwSln: <course section schedule line number>
sectID: <Course Section ID>

e.g “A”, “AA”, “AB”

uwSectID: <course section ID>
displayName: <Course Title>

e.g. “COMPUTER PRGRMNG I”

displayName: <Course Title> <going away 4/26/2017>
description: <Course Title> <coming 4/26/2017>description will only be written when GS.description value is not present
student: uwNetID=<netid> member: <Active Directory DN of <uwnetid>>

where <uwnetid> is searched in AD and the DN of that object is the value of the member attribute. If there is no such object, then this value isn’t populated.

instructor: uwNetID=<netid> uwInstructor: <Active Directory DN of <uwnetid>>
member: <Active Directory DN of <uwnetid>>where <uwnetid> is searched in AD and the DN of that object is the value of the member and uwInstructor attributes. If there is no such object, then this value isn’t populated.
gidNumber: <integer> gidNumber: <integer>