# AWS Directory Service Data Directory Service Data AWS Directory Service Data is an extension of AWS Directory Service. You can create, read, update, and Active Directory (AD) users, groups, and memberships from an AWS Directory Service for Microsoft Active Directory without deploying dedicated AD management instances on an Amazon EC2 instance. You can also perform built-in object management tasks across directories without any direct network connectivity. This simplifies provisioning and access management to achieve fully automated deployments. For more information, see the [AWS Directory Service Data API Reference ](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/Welcome.html). Directory Service Data supports user and group write operations, like `CreateUser` and `CreateGroup`, within the AWS Managed Microsoft AD that's in your organizational unit (OU). Directory Service Data supports read operations, like `ListUsers` and `ListGroups`, on all users, groups, and group memberships within the AWS Managed Microsoft AD and across trusted realms. Directory Service Data supports adding and removing group members from groups in your OU and the AWS Delegated Groups OU, so you can delegate permissions by adding users to specific delegated group objects. For more information, see [User and group management in AWS Managed Microsoft AD](ms_ad_manage_users_groups.md). **Note** Directory Service Data is only available in your Primary Region. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md). **Topics** + [ ## Replication and consistency ](#replication_consistency) + [ # AWS Directory Service Data attributes ](ad_data_attributes.md) + [ # Group type and group scope ](ad_group_type_and_scope.md) ## Replication and consistency The Directory Service Data API connects to your AWS Managed Microsoft AD domain controllers to perform operations on the underlying directory objects. Active Directory is an eventually consistent platform, and replication is continuously occurring between Directory Service directory domain controllers. By default, every Directory Service directory is created with two domain controllers. Directory Service Data attempts to maintain a consistent experience by utilizing the same domain controller across requests. In the event that a domain controller is unavailable, Directory Service Data switches to an alternative domain controller. During these events, you might notice eventual consistency across domain controllers while objects are replicated across domain controllers. Directory limits vary by AWS Managed Microsoft AD edition: + **Standard edition** – Supports 8 transactions per second for read operations and 4 TPS for write operations per directory. + **Enterprise edition** – Supports 16 transactions per second for read operations and 8 TPS for write operations per directory. **Note** There's a concurrency limit of 10 concurrent requests for both Standard and Enterprise editions. + **AWS account** – Supports a total of 100 transactions per second for Directory Service Data operations across all directories. # AWS Directory Service Data attributes This topic describes how to work with attributes in the [AWS Directory Service Data API Reference](https://docs.aws.amazon.com//directoryservicedata/latest/DirectoryServiceDataAPIReference/Welcome.html). ## Request Attributes The following attributes must be defined in the request body parameters. For an example of how to define these attributes, see [CreateGroup](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_CreateGroup.html) in the *AWS Directory Service Data API Reference*. | Directory Service Data attribute name | LDAP display name | AWS Management Console | PowerShell alias | Access type | Object type | Attribute value | Searchable | | --- | --- | --- | --- | --- | --- | --- | --- | | [DistinguishedName](https://learn.microsoft.com/en-us/windows/win32/adschema/a-distinguishedname) | distinguishedName | Distinguished name | None | ReadOnly | User, Group | String | No | | [EmailAddress](https://learn.microsoft.com/en-us/windows/win32/adschema/a-mail) | mail | Email address | EmailAddress | Creatable | User | String | Yes | | Enabled | None | Enabled | Enabled | Mutable | User | Boolean | No | | [GivenName](https://learn.microsoft.com/en-us/windows/win32/adschema/a-givenname) | givenName | First Name | GivenName | Creatable | User | String | Yes | | [GroupScope](https://learn.microsoft.com/en-us/windows/win32/adschema/a-grouptype) | groupScope | Group scope | None | Creatable | Group | Enum | No | | [GroupType](https://learn.microsoft.com/en-us/windows/win32/adschema/a-grouptype) | groupType | Group type | None | Creatable | Group | Enum | No | | [SamAccountName](https://learn.microsoft.com/en-us/windows/win32/adschema/a-samaccountname) | sAMAccountName | User logon name | sAMAccountName | Creatable | User, Group | String | Yes | | [SID](https://learn.microsoft.com/en-us/windows/win32/adschema/a-objectsid) | objectSid | User / Group security identifier (SID) | SID | ReadOnly | User, Group | String | No | | [Surname](https://learn.microsoft.com/en-us/windows/win32/adschema/a-sn) | sn | Last name | Surname | Creatable | User | String | Yes | | [UserPrincipalName](https://learn.microsoft.com/en-us/windows/win32/adschema/a-userprincipalname) | userPrincipalName | User principal name | UserPrincipalName | ReadOnly | User | String | No | ## Other Attributes The following attributes must be defined in `OtherAttributes` and don't map to any request body parameters. When you define other attributes in your requests, you must specify the attribute name, data type, and the value for each attribute. For an example of how to define these attributes, see [CreateUser](https://docs.aws.amazon.com/directoryservicedata/latest/DirectoryServiceDataAPIReference/API_CreateUser.html) in the *AWS Directory Service Data API Reference*. **Note** The names of these attributes are case insensitive *when provided as inputs* and the equivalent of the LDAP display name. | Directory Service Data attribute name | LDAP display name | AWS Management Console | PowerShell alias | Access type | Object type | Attribute value | Searchable | | --- | --- | --- | --- | --- | --- | --- | --- | | [Assistant](https://learn.microsoft.com/en-us/windows/win32/adschema/a-assistant) | assistant | Assistant | None | ReadOnly | User | String | No | | [Cn](https://learn.microsoft.com/en-us/windows/win32/adschema/a-cn) | cn | Common Name | None | ReadOnly | User, Group | String | No | | [Co](https://learn.microsoft.com/en-us/windows/win32/adschema/a-co) | co | Country/region | Country | Mutable | User | String | No | | [Company](https://learn.microsoft.com/en-us/windows/win32/adschema/a-company) | company | Company | Company | Creatable | User | String | No | | [Department](https://learn.microsoft.com/en-us/windows/win32/adschema/a-department) | department | Department | Department | Creatable | User | String | No | | [Description](https://learn.microsoft.com/en-us/windows/win32/adschema/a-description) | description | Description | Description | Creatable | User, Group | String | No | | [DirectReports](https://learn.microsoft.com/en-us/windows/win32/adschema/a-directreports) | directReports | Direct reports | None | ReadOnly | User | String set | No | | [DisplayName](https://learn.microsoft.com/en-us/windows/win32/adschema/a-displayname) | displayName | Display name | DisplayName | Creatable | User, Group | String | Yes | | [FacsimileTelephoneNumber](https://learn.microsoft.com/en-us/windows/win32/adschema/a-facsimiletelephonenumber) | facsimileTelephoneNumber | Fax | Fax | Creatable | User, Group | String | No | | [HomePhone](https://learn.microsoft.com/en-us/windows/win32/adschema/a-homephone) | homePhone | Home phone number | HomePhone | Creatable | User | String | No | | [Info](https://learn.microsoft.com/en-us/windows/win32/adschema/a-info) | info | Notes | None | Mutable | User, Group | String | No | | [Initials](https://learn.microsoft.com/en-us/windows/win32/adschema/a-initials) | initials | Initials | Initials | Mutable | User | String | No | | [IpPhone](https://learn.microsoft.com/en-us/windows/win32/adschema/a-ipphone) | ipPhone | IP Phone | None | Mutable | User | String | No | | [L](https://learn.microsoft.com/en-us/windows/win32/adschema/a-l) | l | City | City | Creatable | User | String | Yes | | [Manager](https://learn.microsoft.com/en-us/windows/win32/adschema/a-manager) | manager | Manager | Manager | Mutable | User | String | No | | [Mail](https://learn.microsoft.com/en-us/windows/win32/adschema/a-mail) | mail | Email address | EmailAddress | Mutable | Group | String | Yes | | [Mobile](https://learn.microsoft.com/en-us/windows/win32/adschema/a-mobile) | mobile | Mobile phone number | MobilePhone | Mutable | User | String | No | | ObjectClass | objectClass | User / Group | None | ReadOnly | Group | String | No | | [ObjectGUID](https://learn.microsoft.com/en-us/windows/win32/adschema/a-objectguid) | objectGUID | Global unique identifier (GUID) | None | ReadOnly | User, Group | String | No | | [Pager](https://learn.microsoft.com/en-us/windows/win32/adschema/a-pager) | pager | Pager | None | Mutable | User | String | No | | [PhysicalDeliveryOfficeName](https://learn.microsoft.com/en-us/windows/win32/adschema/a-physicaldeliveryofficename) | physicalDeliveryOfficeName | Office | None | Creatable | User | String | Yes | | [PostalCode](https://learn.microsoft.com/en-us/windows/win32/adschema/a-postalcode) | postalCode | Zip/Postal code | PostalCode | Creatable | User | String | No | | [PreferredLanguage](https://learn.microsoft.com/en-us/windows/win32/adschema/a-preferredlanguage) | preferredLanguage | Preferred language | None | Mutable | User | String | No | | [ProxyAddresses](https://learn.microsoft.com/en-us/windows/win32/adschema/a-proxyaddresses) | proxyAddresses | Proxy address | None | ReadOnly | User, Group | Multi-valued string | Yes | | [ServicePrincipalName](https://learn.microsoft.com/en-us/windows/win32/adschema/a-serviceprincipalname) | servicePrincipalName | Service principal name | ServicePrincipalName | Mutable | User | Multi-valued string | No | | [St](https://learn.microsoft.com/en-us/windows/win32/adschema/a-st) | st | State/Province | State | Creatable | User | String | No | | [StreetAddress](https://learn.microsoft.com/en-us/windows/win32/adschema/a-street) | streetAddress | Street address | StreetAddress | Creatable | User | String | No | | [TelephoneNumber](https://learn.microsoft.com/en-us/windows/win32/adschema/a-telephonenumber) | telephoneNumber | Telephone number | OfficePhone | Creatable | User | String | No | | [Title](https://learn.microsoft.com/en-us/windows/win32/adschema/a-title) | title | Job title | Title | Mutable | User | String | No | | [WhenChanged](https://learn.microsoft.com/en-us/windows/win32/adschema/a-whenchanged) | whenChanged | Last updated | None | ReadOnly | User, Group | String | No | | [WWWHomePage](https://learn.microsoft.com/en-us/windows/win32/adschema/a-wwwhomepage) | wWWHomePage | Home page URL | wWWHomePage | Mutable | User, Group | String | No | # Group type and group scope Groups in AWS Managed Microsoft AD have both a group type and a group scope. See the following sections for more information on each. **Topics** + [ ## Group type ](#ad_group_type) + [ ## Group scope ](#ad_group_scope) ## Group type Group type determines which shared resources within the Active Directory the group members can access. There are two group types: + **Security** - You can assign permissions to these groups so that group members can access shared Active Directory resources. + **Distribution** - You can use this type to create email distribution lists. These group members cannot access Active Directory shared resources. There are no limitations when changing between group types. For more information about group types, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#how-active-directory-security-groups-work). ## Group scope Group scope determines how group members are defined with the domain tree or forest. There are three group scopes: + **Domain local** - to assign permissions to group members located in the same domain. + **Universal** - to assign permissions to group members located within any domain. + **Global** - to assign permissions to group members located within any domain or forest. There are limitations when changing a group scope. The following list and diagram outline these limitations. + Changing group scope from **Domain Local** to **Universal** - Yes + Unless the domain local group is a parent of another domain local group. + Changing group scope from **Universal** to **Domain Local** - Yes + Unless the universal group is a child group of another universal group. + Changing group scope from **Universal** to **Global** - Yes + Unless the universal group is a parent of another universal group. + Changing group scope from **Global** to **Universal** - Yes + Unless the global group is a child of another global group. For more information about group scopes, see [Microsoft documentation](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#group-scope). ![\[Diagram showing three different group scopes (domain local, universal, and global) and how group scope impacts group membership.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/group_scope_membership.png)