AppStream 2.0 Active Directory Administration
Setting up and using Active Directory with AppStream 2.0 involves the following administrative tasks.
Tasks
- Granting Permissions to Create and Manage Active Directory Computer Objects
- Finding the Organizational Unit Distinguished Name
- Granting Local Administrator Rights on Image Builders
- Updating the Service Account Used for Joining the Domain
- Locking the Streaming Session When the User is Idle
- Editing the Directory Configuration
- Deleting a Directory Configuration
- Configuring AppStream 2.0 to Use Domain Trusts
- Managing AppStream 2.0 Computer Objects in Active Directory
Granting Permissions to Create and Manage Active Directory Computer Objects
To allow AppStream 2.0 to perform Active Directory computer object operations, you need an account with sufficient permissions. As a best practice, use an account that has only the minimum privileges necessary. The minimum Active Directory organizational unit (OU) permissions are as follows:
-
Create Computer Object
-
Change Password
-
Reset Password
-
Write Description
Before setting up permissions, you'll need to do the following first:
-
Obtain access to a computer or an EC2 instance that is joined to your domain.
-
Install the Active Directory User and Computers MMC snap-in. For more information, see Installing or Removing Remote Server Administration Tools for Windows 7
in the Microsoft documentation. -
Log in as a domain user with appropriate permissions to modify the OU security settings.
-
Create or identify the user, service account, or group for which to delegate permissions.
To set up minimum permissions
-
Open Active Directory Users and Computers in your domain or on your domain controller.
-
In the left navigation pane, select the first OU on which to provide domain join privileges, open the context (right-click) menu , and then choose Delegate Control.
-
On the Delegation of Control Wizard page, choose Next, Add.
-
For Select Users, Computers, or Groups, select the pre-created user, service account, or group, and then choose OK.
-
On the Tasks to Delegate page, choose Create a custom task to delegate, and then choose Next.
-
Choose Only the following objects in the folder, Computer objects.
-
Choose Create selected objects in this folder, Next.
-
For Permissions, choose Read, Write, Change Password, Reset Password, Next.
-
On the Completing the Delegation of Control Wizard page, verify the information and choose Finish.
-
Repeat steps 2-9 for any additional OUs that require these permissions.
If you delegated permissions to a group, create a user or service account with a strong password and add that account to the group. This account will then have sufficient privileges to connect your streaming instances to the directory. Use this account when creating your AppStream 2.0 directory configuration.
Finding the Organizational Unit Distinguished Name
When you register your Active Directory domain with AppStream 2.0, you must provide an organizational unit (OU) distinguished name. Create an OU for this purpose. The default Computers container is not an OU and cannot be used by AppStream 2.0. The following procedure shows how to obtain this name.
Note
The distinguished name must start with OU=
or
it cannot be used for computer objects.
Before you complete this procedure, you'll need to do the following first:
-
Obtain access to a computer or an EC2 instance that is joined to your domain.
-
Install the Active Directory User and Computers MMC snap-in. For more information, see Installing or Removing Remote Server Administration Tools for Windows 7
in the Microsoft documentation. -
Log in as a domain user with appropriate permissions to read the OU security properties.
To find the distinguished name of an OU
-
Open Active Directory Users and Computers in your domain or on your domain controller.
-
Under View, ensure that Advanced Features is enabled.
-
In the left navigation pane, select the first OU to use for AppStream 2.0 streaming instance computer objects, open the context (right-click) menu, and then choose Properties.
-
Choose Attribute Editor.
-
Under Attributes, for distinguishedName, choose View.
-
For Value, select the distinguished name, open the context menu, and then choose Copy.
Granting Local Administrator Rights on Image Builders
By default, Active Directory domain users do not have local administrator rights on image builder instances. You can grant these rights by using Group Policy preferences in your directory, or manually, by using the local administrator account on an image builder. Granting local administrator rights to a domain user allows that user to install applications on and create images in an AppStream 2.0 image builder.
Using Group Policy preferences
You can use Group Policy preferences to grant local administrator rights to Active Directory users or groups and to all computer objects in the specified OU. The Active Directory users or groups to which you want to grant local administrator permissions must already exist. To use Group Policy preferences, you'll need to do the following first:
-
Obtain access to a computer or an EC2 instance that is joined to your domain.
-
Install the Group Policy Management Console (GPMC) MMC snap-in. For more information, see Installing or Removing Remote Server Administration Tools for Windows 7
in the Microsoft documentation. -
Log in as a domain user with permissions to create Group Policy objects (GPOs). Link GPOs to the appropriate OUs.
To use Group Policy preferences to grant local administrator permissions
-
In your directory or on a domain controller, open the command prompt as an administrator, type
gpmc.msc
, and then press ENTER. In the left console tree, select the OU where you will create a new GPO or use an existing GPO, and then do either of the following:
Create a new GPO by opening the context (right-click) menu and choosing Create a GPO in this domain, Link it here. For Name, provide a descriptive name for this GPO.
Select an existing GPO.
-
Open the context menu for the GPO, and choose Edit.
-
In the console tree, choose Computer Configuration, Preferences, Windows Settings, Control Panel Settings, and Local Users and Groups.
-
Select Local Users and Groups selected, open the context menu , and choose New, Local Group.
-
For Action, choose Update.
-
For Group name, choose Administrators (built-in).
-
Under Members, choose Add… and specify the Active Directory users or groups to which to assign local administrator rights on the streaming instance. For Action, choose Add to this group, and choose OK.
-
To apply this GPO to other OUs, select the additional OU, open the context menu and choose Link an Existing GPO.
-
Using the new or existing GPO name that you specified in step 2, scroll to find the GPO, and then choose OK.
-
Repeat steps 9 and 10 for additional OUs that should have this preference.
-
Choose OK to close the New Local Group Properties dialog box.
Choose OK again to close the GPMC.
To apply the new preference to the GPO, you must stop and restart any running image builders or fleets. The Active Directory users and groups that you specified in step 8 are automatically granted local administrator rights on the image builders and fleets in the OU to which the GPO is linked.
Using the local Administrators group on the image builder
To grant Active Directory users or groups local administrator rights on your image builder, you can manually add these users or groups to the local Administrators group on the image builder. Image builders that are created from images with these rights maintain the same rights.
The Active Directory users or groups to which to grant local administrator rights must already exist.
To add Active Directory users or groups to the local Administrators group on the image builder
-
Open the AppStream 2.0 console at https://console.aws.amazon.com/appstream2
. -
Connect to the image builder in Administrator mode. The image builder must be running and domain-joined. For more information, see Tutorial: Setting Up Active Directory.
-
Choose Start, Administrative Tools, and then double-click Computer Management.
-
In the left navigation pane, choose Local Users and Groups and open the Groups folder.
-
Open the Administrators group and choose Add....
-
Select all Active Directory users or groups to which to assign local administrator rights and choose OK. Choose OK again to close the Administrator Properties dialog box.
-
Close Computer Management.
-
To log in as an Active Directory user and test whether that user has local administrator rights on the image builder, choose Admin Commands, Switch user, and then enter the credentials of the relevant user.
Updating the Service Account Used for Joining the Domain
To update the service account that AppStream 2.0 uses for joining the domain, we recommend using two separate service accounts for joining image builders and fleets to your Active Directory domain. Using two separate service accounts ensures that there is no disruption in service when a service account needs to be updated (for example, when a password expires).
To update a service account
-
Create an Active Directory group and delegate the correct permissions to the group.
-
Add your service accounts to the new Active Directory group.
-
When needed, edit your AppStream 2.0 Directory Config object by entering the sign-in credentials for the new service account.
After you've set up the Active Directory group with the new service account, any new streaming instance operations will use the new service account, while in-process streaming instance operations continue to use the old account without interruption.
The service account overlap time while the in-process streaming instance operations complete is very short, no more than a day. The overlap time is needed because you shouldn't delete or change the password for the old service account during the overlap period, or existing operations can fail.
Locking the Streaming Session When the User is Idle
AppStream 2.0 relies on a setting that you configure in the GPMC to lock the streaming session after your user is idle for specified amount of time. To use the GPMC, you'll need to do the following first:
-
Obtain access to a computer or an EC2 instance that is joined to your domain.
-
Install the GPMC. For more information, see Installing or Removing Remote Server Administration Tools for Windows 7
in the Microsoft documentation. -
Log in as a domain user with permissions to create GPOs. Link GPOs to the appropriate OUs.
To automatically lock the streaming instance when your user is idle
-
In your directory or on a domain controller, open the command prompt as an administrator, type
gpmc.msc
, and then press ENTER. In the left console tree, select the OU where you will create a new GPO or use an existing GPO, and then do either of the following:
Create a new GPO by opening the context (right-click) menu and choosing Create a GPO in this domain, Link it here. For Name, provide a descriptive name for this GPO.
Select an existing GPO.
Open the context menu for the GPO, and choose Edit.
Under User Configuration, expand Policies, Administrative Templates, Control Panel, and then choose Personalization.
Double-click Enable screen saver.
-
In the Enable screen saver policy setting, choose Enabled.
Choose Apply, and then choose OK.
-
Double-click Force specific screen saver.
-
In the Force specific screen saver policy setting, choose Enabled.
Under Screen saver executable name, enter
scrnsave.scr
. When this setting is enabled, the system displays a black screen saver on the user's desktop.Choose Apply, and then choose OK.
Double-click Password protect the screen saver.
In the Password protect the screen saver policy setting, choose Enabled.
Choose Apply, and then choose OK.
Double-click Screen saver timeout.
In the Screen saver timeout policy setting, choose Enabled.
-
For Seconds, specify the length of time that users must be idle before the screen saver is applied. To set the idle time to 10 minutes, specify 600 seconds.
Choose Apply, and then choose OK.
In the console tree, under User Configuration, expand Policies, Administrative Templates, System, and then choose Ctrl+Alt+Del Options.
Double-click Remove Lock Computer.
In the Remove Lock Computer policy setting, choose Disabled.
Choose Apply, and then choose OK.
Editing the Directory Configuration
After a AppStream 2.0 directory configuration has been created, you can edit it to add, remove, or modify organizational units, update the service account username, or update the service account password.
To update a directory configuration
-
Open the AppStream 2.0 console at https://console.aws.amazon.com/appstream2
. -
In the left navigation pane, choose Directory Configs and select the directory configuration to edit.
-
Choose Actions, Edit.
-
Update the fields to be changed. To add additional OUs, select the plus sign (+) next to the topmost OU field. To remove an OU field, select the x next to the field.
Note
At least one OU is required. OUs that are currently in use cannot be removed.
-
To save changes, choose Update Directory Config.
-
The information in the Details tab should now update to reflect the changes.
Changes to the service account sign-in credentials do not impact in-process streaming instance operations. New streaming instance operations use the updated credentials. For more information, see Updating the Service Account Used for Joining the Domain.
Deleting a Directory Configuration
You can delete an AppStream 2.0 directory configuration that is no longer needed. Directory configurations that are associated with any image builders or fleets cannot be deleted.
To delete a directory configuration
-
Open the AppStream 2.0 console at https://console.aws.amazon.com/appstream2
. -
In the left navigation pane, choose Directory Configs and select the directory configuration to delete.
-
Choose Actions, Delete.
-
Verify the name in the pop-up message, and choose Delete.
-
Choose Update Directory Config.
Configuring AppStream 2.0 to Use Domain Trusts
AppStream 2.0 supports Active Directory domain environments where network resources such as file servers, applications, and computer objects reside in one domain, and the user objects reside in another. The domain service account used for computer object operations does not need to be in the same domain as the AppStream 2.0 computer objects.
When creating the directory configuration, specify a service account that has the appropriate permissions to manage computer objects in the Active Directory domain where the file servers, applications, computer objects and other network resources reside.
Your end user Active Directory accounts must have the "Allowed to Authenticate" permissions for the following:
-
AppStream 2.0 computer objects
-
Domain controllers for the domain
For more information, see Granting Permissions to Create and Manage Active Directory Computer Objects.
Managing AppStream 2.0 Computer Objects in Active Directory
AppStream 2.0 does not delete computer objects from Active Directory. These computer
objects can be easily identified in your directory. Each computer object in the
directory is created with the Description
attribute, which specifies a
fleet or an image builder instance and the name.
Computer Object Description Examples | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Type | Name | Description Attribute | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Fleet |
ExampleFleet |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Image builder |
ExampleImageBuilder |
|
You can identify and delete inactive computer objects created by AppStream 2.0 by using
the following dsquery computer
and dsrm
commands. For more
information, see Dsquery
computer
The dsquery
command identifies inactive computer objects over a
certain period of time and uses the following format. The dsquery
command should also be run with the parameter -desc "AppStream 2.0*"
to display only AppStream 2.0 objects.
dsquery computer "
OU-distinguished-name
" -desc "AppStream 2.0*" -inactivenumber-of-weeks-since-last-login
-
is the distinguished name of the organizational unit. For more information, see Finding the Organizational Unit Distinguished Name. If you don't provide theOU-distinguished-name
OU-distinguished-name
parameter, the command searches the entire directory. -
is the desired value based on how you want to define inactivity.number-of-weeks-since-last-log-in
For example, the following command displays all computer objects in the
OU=ExampleOU,DC=EXAMPLECO,DC=COM
organizational unit that have not
been logged into within the past two weeks.
dsquery computer OU=ExampleOU,DC=EXAMPLECO,DC=COM -desc "AppStream 2.0*" -inactive 2
If any matches are found, the result is one or more object names. The
dsrm
command deletes the specified object and uses the following
format:
dsrm objectname
Where
is the full object name
from the output of the objectname
dsquery
command. For example, if the
dsquery
command above results in a computer object named
"ExampleComputer", the dsrm
command to delete it would be as
follows:
dsrm "CN=ExampleComputer,OU=ExampleOU,DC=EXAMPLECO,DC=COM"
You can chain these commands together by using the pipe (|
) operator.
For example, to delete all AppStream 2.0 computer objects, prompting for confirmation for
each, use the following format. Add the -noprompt
parameter to
dsrm
to disable confirmation.
dsquery computer
OU-distinguished-name
-desc "AppStream 2.0*" –inactivenumber-of-weeks-since-last-log-in
| dsrm