UCS@school group shares

What are UCS@school shares?

Shares are automatically created UCS@school objects, which simplify file sharing within a specific group.
Each school class and work group has its own share (see this article for more information on work groups and school classes). Furthermore, a so-called “Marktplatz” (engl.: market place) exists, which serves as a school-wide share for all users of the group Domain Users $OU.

The creation of a work group share can be controlled by unchecking the checkbox “create share” in the UMC.
It can also be prevented to automatically create a Marktkplatz for each OU by setting the UCRV ucsschool/import/generate/marktplatz=no.

Because Shares are always bound to a specific group, they should never exist without it in the LDAP tree.

When creating or modifying a class share or a work group share via UDM command, one can easily miss one of these essential features, which might lead to errors. As with all UCS@school objects, to prevent inconsistencies, shares should only be modified using the UCS@school UMC modules.


$ udm shares/share list --filter cn=DEMOSCHOOL-Democlass

DN: cn=DEMOSCHOOL-Democlass,cn=klassen,cn=shares,ou=DEMOSCHOOL,dc=example,dc=com
  host: DEMOSCHOOL.example.com
  name: DEMOSCHOOL-Democlass
  path: /home/DEMOSCHOOL/groups/klassen/DEMOSCHOOL-Democlass
  ucsschoolRole: school_class_share:school:DEMOSCHOOL
$ udm shares/share list --filter cn=DEMOSCHOOL-Demoworkgroup

DN: cn=DEMOSCHOOL-Demoworkgroup,cn=shares,ou=DEMOSCHOOL,dc=example,dc=com
  host: DEMOSCHOOL.example.com
  name: DEMOSCHOOL-Demoworkgroup
  path: /home/DEMOSCHOOL/groups/DEMOSCHOOL-Demoworkgroup
  ucsschoolRole: workgroup_share:school:DEMOSCHOOL
$ udm shares/share list --filter cn=Marktplatz

DN: cn=Marktplatz,cn=shares,ou=DEMOSCHOOL,dc=example,dc=com
  host: DEMOSCHOOL.example.com
  name: Marktplatz
  path: /home/DEMOSCHOOL/groups/Marktplatz 
  ucsschoolRole: marketplace_share:school:DEMOSCHOOL

:bulb: In UCS@school 4.4 v8 work group shares are now validated before usage, when loading them from LDAP and errors will be logged to the regular log files (see manual).
:bulb: In UCS@school 4.4 v9 the diagnostic module UCS@school Consistency Check is introduced. It checks, amongst other things, if existing school group shares are consistent. If this diagnostic module displays errors, this does not necessarily mean that the UCS@school system is not working. Rather, it warns of objects that do not look the way UCS@school expects and that could cause future problems when using them.

School name prefix

When creating a class share or a work group share, the school name will be prefixed to the group name in order to ensure that the group’s name is unique across the whole domain. For a valid school class or work group share name, a school name prefix is required.

Example: school name GS1 and work group name Robotics result in a work group share name GS1-Robotics.

Position in LDAP Tree

Share containers must be placed below the OU of the school under cn=shares,ou=$SCHOOL,$ldap_base


  • school class share: cn=GS1-2b,cn=klassen,cn=shares,ou=GS1,$ldap_base
  • work group share: cn=GS1-Robotics,cn=shares,ou=GS1,$ldap_base
  • Marktplatz share: cn=Marktplatz,cn=shares,ou=GS1,$ldap_base

Share Path

A share is located on its corresponding school server or primary node in a single-server environment.
Its path should be placed below its school directory /home/$SCHOOL/groups/


  • school class share: /home/GS1/groups/klassen/2b
  • work group share: /home/GS1/groups/Robotics
  • Marktplatz share: /home/GS1/groups/Marktplatz

The path can be edited in the UMC under Domain/Shares.

Role attribute

Like all UCS@school objects, shares have an attribute ucsschoolRole , which is managed internally.
It must be set as followed:

  • school class share: school_class_share:school:$SCHOOL
  • work group share: workgroup_share:school:$SCHOOL
  • Marktplatz share: marketplace_share:school:$SCHOOL

Permission Configuration

Information on permissions for files and folders in a share on a UCS system can be found in this article.
However, in a UCS@school environment, there are some important things to note:

By default, when a share gets created in UCS@school, some Windows NT ACLs get automatically set, which primarily restrict students permissions within the share.
For class and work group shares those are:

  • deny students to change permissions and take ownership
  • allow the corresponding group members to read, write and modify
  • allow OU-admins full control

Marktplatz shares are created with the following ACL:

  • deny students to change permissions and take ownership
  • allow all domain users to read, write and modify
  • allow OU-admins full control

:warning: Changing those permissions via CLI can easily lead to errors and is not officially supported.

1 Like